- it's meant to support easy-to-remember https://xkcd.com/936/
In practice there are plenty of complaints about it and always have
been. I don't find the cartoon especially convincing :).
- last time we got a compromise (2010), the user had the encrypted
passwords (through SQL injection), but he didn't get root.
I'd forgotten that. It's a valid point.
I won't push it, just bringing it up.
karl
