Philipp Kern <pk...@debian.org> writes: > On 07/24/2017 12:38 PM, Hideki Yamane wrote: >> But it also makes administrator to remember it harder as its trade-off... >> (and they maybe choose easy password as a result). It's a not good idea >> to suggests to change root password periodically, IMO. It's not a best >> practice. > > I'd say it's one of two things: If it's easy, make sure to change it > periodically. If it's hard enough to withstand brute-force, you don't > need to. > > As I said: I'm totally with you that in a standard setup it'd great for > that not to be necessary. Unfortunately the standard setup does not ship > with the mitigating controls.
I was under the impression that there was quite a lot of evidence to demonstrate that regular-change policies are a security disaster. Continuing to recommend such an approach strikes me as pure inertia. If we want to recommend that people change their passwords later if they are incapable of choosing a good one immediately, that seems like good advice, but advising regular changes is just encouraging people to consume their often quite limited ability to remember decent passwords, with the almost inevitable result being that they'll either start choosing poor passwords, or recording them somewhere insecure, neither of which are better than keeping a decent password that they can remember. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
signature.asc
Description: PGP signature