Your message dated Fri, 3 May 2024 21:42:01 +0200
with message-id <20240503214201.b0b389be5197d4a9d1253...@mailbox.org>
and subject line Uploading user-setup: update password selection advice
has caused the Debian Bug report #1064617,
regarding Passwords should not be changed frequently
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1064617: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064617
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: debian-installer
I just did an installation with the 2024-02-24
debian-testing-amd64-netinst.iso image. I forget the exact wording
used, but when setting up a user, d-i printed advice that user passwords
should be changed frequently. This is no longer current good advice
(since 2017):
"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily
(e.g., periodically). However, verifiers SHALL force a change if there
is evidence of compromise of the authenticator."
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
I happen to like their suggestion of providing a password-strength meter,
but that would be a separate bug. This bug is simply a request to remove
this outdated suggestion text from d-i.
--- End Message ---
--- Begin Message ---
Version: 1.97
Forgot to mention bug closure in changelog before uploading, so closing now
manually.
--
Holger Wansing <hwans...@mailbox.org>
PGP-Fingerprint: 496A C6E8 1442 4B34 8508 3529 59F1 87CA 156E B076
--- End Message ---
