On Wed 26 Jul 2017 at 17:00:12 +0100, Miguel Figueiredo wrote: > On 24-07-2017 11:38, Hideki Yamane wrote: > >Hi, > > > >On Sun, 23 Jul 2017 10:49:53 +0200 > >Philipp Kern <pk...@debian.org> wrote: > >>It seems to me that today at least the guidance of mixed > >>character classes still makes some sense as a default, to avoid the most > >>obvious blunder of just using a simple dictionary word and be > >>compromised over SSH because password authentication is turned on. > > > > Okay, I agree with it. > > > >>And change it to make brute force attacks harder. > > > > But it also makes administrator to remember it harder as its trade-off... > > (and they maybe choose easy password as a result). It's a not good idea > > to suggests to change root password periodically, IMO. It's not a best > > practice. > > > > 1) Add password check feature whether password has an enough strength > > like RHEL's anaconda or SUSE's installer. > > 2) Drop suggestion root password change periodically from message. > > > > is better. > > We have libpam-passwqc on the archive, which it's a "Password > quality-control PAM module". > I think it addresses the point of checking the password strength.
It possibly does, but isn't it more suitable as a solution to #854653 or #364526 rather than this bug (changing a password at periodic intervals, no matter how strong it is)? -- Brian.
