On Tue, Jul 25, 2017 at 11:22:19PM +0200, Philipp Kern wrote: > On 07/24/2017 12:38 PM, Hideki Yamane wrote: > > But it also makes administrator to remember it harder as its trade-off... > > (and they maybe choose easy password as a result). It's a not good idea > > to suggests to change root password periodically, IMO. It's not a best > > practice. > > I'd say it's one of two things: If it's easy, make sure to change it > periodically. If it's hard enough to withstand brute-force, you don't > need to.
The problem with regular-change policies is that it *encourages* easy passwords, since if you want to remember something generated by "pwgen -s 15" or some such, it will take you quite a while to do so, and by that time it may be time to renew it again. -- Could you people please use IRC like normal people?!? -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008 Hacklab