On 2018/12/10 06:49, Sebastien Marie wrote: > On Sun, Dec 09, 2018 at 09:14:38PM -0500, Ted Unangst wrote: > > These patterns try to detect a1a1a1 style passwords. By making the regex a > > bit > > more flexible we can just use one. Also now catches mMmMmM fwiw. > > it will also catches any password composed of only letters and digits > from 2 to 8 chars (need even numbers of chars). > > like: aRgh675P or 78Ytgs7A > > but I am unsure if it is bad or not. I think any password with only 8 > chars is bad now.
...so ab34cd5 is accepted straight away, but ab34cd56 trips the default "please use a more complicated password or type it in three times" check. Seems like the external "passwordcheck" login.conf option might be a better place for people who have requirements beyond the current scheme?
