On Mon, Sep 03, 2007 at 05:45:49PM +0300, Lars Wirzenius wrote:
ma, 2007-09-03 kello 08:33 -0600, Wesley J. Landaker kirjoitti:Especially when the most common response I've seen to a system sayingthat a password is not long enough is to start adding easily guessable extension strings to the password the user already picked, NOT to sit back down and think up a better, intrinsicly longer password:That's true. Ideally, we would replace passwords with a better authentication system, but I'm not sure that's going to be feasible.
IMHO, user-supplied passwords are not appropriate to use over the Internet, because they _will_ be weak.
On most of my boxes, passwords are useless for anything except local authentication, and even for that, they aren't used much.
How about a Debian policy that enumerates the specific cases where passwords are allowed to be used for authentication, and states that password authentication must be disabled by default for everything else?
If you design the system so that it doesn't trust passwords much to begin with, you don't have to care about how strong the passwords are.
-- Dwayne C. Litzenberger <dlitz@dlitz.net>