Nearly two years after Alejandro Colomar reported this issue, the Debian
installer is still giving people this bad advice: "A good password will
contain a mixture of letters, numbers and punctuation and should be
changed at regular intervals."
Alejandro explained at length why this advice about what's /in/ the
password is wrong, but he didn't address at all the other, perhaps even
more significant reason why this is wrong: we now know, absolutely and
unequivocally, that telling people to change their passwords regularly
makes security worse rather than better.
I understand that Debian may not be the most security-focused Linux
distribution, but can we please move Debian forward into the 21st
Century on this issue, at least, by updating the messaging in the
installer to give better advice?
Thank you.
- Bug#998408: "good password" advice in installer ... Jonathan Kamens
-