Hi,
On Sun, 23 Jul 2017 10:49:53 +0200
Philipp Kern <pk...@debian.org> wrote:
> It seems to me that today at least the guidance of mixed
> character classes still makes some sense as a default, to avoid the most
> obvious blunder of just using a simple dictionary word and be
> compromised over SSH because password authentication is turned on.
Okay, I agree with it.
> And change it to make brute force attacks harder.
But it also makes administrator to remember it harder as its trade-off...
(and they maybe choose easy password as a result). It's a not good idea
to suggests to change root password periodically, IMO. It's not a best
practice.
1) Add password check feature whether password has an enough strength
like RHEL's anaconda or SUSE's installer.
2) Drop suggestion root password change periodically from message.
is better.
--
Regards,
Hideki Yamane henrich @ debian.or.jp/org
http://wiki.debian.org/HidekiYamane
