2014-06-26 23:35 GMT+02:00 Karl Berry <k...@freefriends.org>: > - it's meant to support easy-to-remember https://xkcd.com/936/ > > In practice there are plenty of complaints about it and always have > been. I don't find the cartoon especially convincing :). > > - last time we got a compromise (2010), the user had the encrypted > passwords (through SQL injection), but he didn't get root. > > I'd forgotten that. It's a valid point. >
+1 I think that the requirement on passwd are good. May be we could just explain how to craft a password fullfilling the requirements which does not imply a headache. My usual favorite being to use the initial letter for each word of a phrase (possibly long) an replace 'to' with '2' or drop a '+' or '-' as separator and drop in some number of space for punctuation. This usually fullfil most of "strong" passwd requirement and do not require a lot for remembering it. Moroever if the passwd recovery process is efficient forgetting a passwd is not that bad. I'm speaking of passwd for the average project user not for sys admin of course. My 2 c.: Keep string requirement. Give more advice about two 'create' strong passwd. -- Erk L'élection n'est pas la démocratie -- http://www.le-message.org