Follow @Openwall on Twitter for new release announcements and other news
[<prev] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20210204185400.GA26790@openwall.com>
Date: Thu, 4 Feb 2021 19:54:00 +0100
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: pam_passwdqc policy description in new password prompt

On Fri, Jan 22, 2021 at 03:37:08PM +0100, Solar Designer wrote:
> OTOH, the changes in the wording are maybe to the better - the previous
> wording might have encouraged use of passwords of exactly those minimum
> lengths.  Now we use wording "that consists of" and "containing", which
> implies it's at least OK for the password not to be limited to that.  As
> a further improvement, I think we should change "that consists of" to
> "containing", too.  So if we can, I'd like to see:
> 
> ---
> A valid password should be a mix of upper and lower case letters,
> digits, and other characters.  You can use a password containing
> 8 characters from at least 3 of these 4 classes, or a password
> containing 7 characters from all the classes.
> 
> An upper case letter that begins the password and a digit that ends
> it do not count towards the number of character classes used.
> ---

BTW, related:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835067

"libpam-passwdqc: improvements(?) to password prompting"

This is a patch against 1.3.0 that changes the wordings in some ways.
I didn't review it, but I think it's worth taking another look at when
revising the wording further.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.