On Mon, Sep 03, 2007 at 12:04:52AM +0300, Lars Wirzenius wrote: > su, 2007-09-02 kello 12:47 -0700, Steve Langasek kirjoitti: > > Does anyone else have a reasoned argument why Debian should have a weaker > > password length check than upstream (4 chars instead of 6)? If not, this > > will be changed in the next upload of pam.
> What's the justification of not using a minimum password length of 8? Given modern processor power availability, I can't think of one; but I would prefer to deal with this in two parts, first establishing whether we have a good reason to use a /lower/ default than upstream, and then discussing with upstream whether that default should be raised. The upstream default of 6 has been around for at least 5 years, possibly as long as a decade; and the code in question is inactive when pam_unix is linked to cracklib, which I think most distributors other than Debian are doing (we confine the use of libcracklib to the separate pam_cracklib module, to keep cracklib out of base); so there probably isn't any modern justification for this default at all. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
