Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20210204185400.GA26790@openwall.com>
Date: Thu, 4 Feb 2021 19:54:00 +0100
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: pam_passwdqc policy description in new password prompt

On Fri, Jan 22, 2021 at 03:37:08PM +0100, Solar Designer wrote:
> OTOH, the changes in the wording are maybe to the better - the previous
> wording might have encouraged use of passwords of exactly those minimum
> lengths.  Now we use wording "that consists of" and "containing", which
> implies it's at least OK for the password not to be limited to that.  As
> a further improvement, I think we should change "that consists of" to
> "containing", too.  So if we can, I'd like to see:
> 
> ---
> A valid password should be a mix of upper and lower case letters,
> digits, and other characters.  You can use a password containing
> 8 characters from at least 3 of these 4 classes, or a password
> containing 7 characters from all the classes.
> 
> An upper case letter that begins the password and a digit that ends
> it do not count towards the number of character classes used.
> ---

BTW, related:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835067

"libpam-passwdqc: improvements(?) to password prompting"

This is a patch against 1.3.0 that changes the wordings in some ways.
I didn't review it, but I think it's worth taking another look at when
revising the wording further.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.