On Thu, Jun 26, 2014 at 05:28:37PM +0000, Karl Berry wrote: > http://savannah.gnu.org/support/?108600 > ... > The password I was choosing should be plenty strong for this. > > I admit I have some sympathy with the view that our password > requirements are too stringent. How about requiring only two classes > for eight-char passwords instead of three? Sure, it is weaker, but > there's a tradeoff between pain for users (high) and likelihood of a bad > guy ever getting the encrypted passwords (low). Besides, if a bad guy > does get the encrypted pws, that probably means they have root on > savannah and our problems are a lot worse than 2-class vs. 3-class > passwords.
Just a couple notes: - it's meant to support easy-to-remember https://xkcd.com/936/ - last time we got a compromise (2010), the user had the encrypted passwords (through SQL injection), but he didn't get root. -- Sylvain
