Stuart Henderson <s...@spacehopper.org> wrote: > On 2018/12/10 06:49, Sebastien Marie wrote: > > On Sun, Dec 09, 2018 at 09:14:38PM -0500, Ted Unangst wrote: > > > These patterns try to detect a1a1a1 style passwords. By making the regex > > > a bit > > > more flexible we can just use one. Also now catches mMmMmM fwiw. > > > > it will also catches any password composed of only letters and digits > > from 2 to 8 chars (need even numbers of chars). > > > > like: aRgh675P or 78Ytgs7A > > > > but I am unsure if it is bad or not. I think any password with only 8 > > chars is bad now. > > ...so ab34cd5 is accepted straight away, but ab34cd56 trips the default > "please use a more complicated password or type it in three times" check. > > Seems like the external "passwordcheck" login.conf option might be a > better place for people who have requirements beyond the current scheme?
I've never understood the principle behind such password checkers Should there not be a corresponding diff to jack the ripper to de-prioritize checking the passwords matched by this check, so that it can more quickly check the decreased space allowed to users? In other words, I'm incredibly cynical about any approach which decreases the available space. Seems to obviously stand against the principle.
