Bug#998408: "good password" advice in installer is still bad two years after this was reported
On Thu 07 Sep 2023 at 01:27:23 +0200, Philip Hands wrote: > Jonathan Kamens writes: > > > Oh, I see now that the fact that the installer shouldn't recommend > > changing one's password regularly was also reported previously, in bug > > #868869. > > Also, in #656509 (in which Cyril states that the effort of translating a > new message outweighs the importance of the change). > > I've no idea if that justification for inaction still stands, but I > thought this would make a nice little example for the use of the > salsa-CI pipeline (and my branch2repo variant of that), so here's an MR: > > https://salsa.debian.org/installer-team/user-setup/-/merge_requests/7 > > and here's a screenshot of what the change looks like: > > https://openqa.debian.net/tests/185853#step/passwords/1 > > I'm not 100% happy with the wording (and the underlines around 'should' > need to go) so I'm very likely to tweak it tomorrow. > > Suggestions for improvement welcome, although be aware that given the > resistance to fixing this in the past, it's always possible such a > change will also be deemed unjustified now. > > I think it's probably about time we fixed it, since even the civil > servants in the UK have stopped recommending password changes by now, > and they tend to make such changes at least a decade late. ;-) The password strength advice in d-i has been there from the year dot. Irrespective of what GCHQ and others say now, it was a load of nonsense then and remains so. The vast majority of users ignore it; some might schedule a password change at the same time they change the locks on all outside doors of their residence or on their cars. Debian has no need to offer password advice (as opposed to roo vs sudo). So leave it there as a historical oddity or delete the d-i advice. The latter route does not involve anyone in any great effort to maintain the staus quo. -- Brian.
Bug#998408: "good password" advice in installer is still bad two years after this was reported
Jonathan Kamens writes: > Oh, I see now that the fact that the installer shouldn't recommend > changing one's password regularly was also reported previously, in bug > #868869. Also, in #656509 (in which Cyril states that the effort of translating a new message outweighs the importance of the change). I've no idea if that justification for inaction still stands, but I thought this would make a nice little example for the use of the salsa-CI pipeline (and my branch2repo variant of that), so here's an MR: https://salsa.debian.org/installer-team/user-setup/-/merge_requests/7 and here's a screenshot of what the change looks like: https://openqa.debian.net/tests/185853#step/passwords/1 I'm not 100% happy with the wording (and the underlines around 'should' need to go) so I'm very likely to tweak it tomorrow. Suggestions for improvement welcome, although be aware that given the resistance to fixing this in the past, it's always possible such a change will also be deemed unjustified now. I think it's probably about time we fixed it, since even the civil servants in the UK have stopped recommending password changes by now, and they tend to make such changes at least a decade late. ;-) Cheers, Phil. -- Philip Hands -- https://hands.com/~phil signature.asc Description: PGP signature
Bug#998408: "good password" advice in installer is still bad two years after this was reported
Nearly two years after Alejandro Colomar reported this issue, the Debian installer is still giving people this bad advice: "A good password will contain a mixture of letters, numbers and punctuation and should be changed at regular intervals." Alejandro explained at length why this advice about what's /in/ the password is wrong, but he didn't address at all the other, perhaps even more significant reason why this is wrong: we now know, absolutely and unequivocally, that telling people to change their passwords regularly makes security worse rather than better. I understand that Debian may not be the most security-focused Linux distribution, but can we please move Debian forward into the 21st Century on this issue, at least, by updating the messaging in the installer to give better advice? Thank you.
Bug#998408: "good password" advice in installer is still bad two years after this was reported
Oh, I see now that the fact that the installer shouldn't recommend changing one's password regularly was also reported previously, in bug #868869. On 9/2/23 22:04, Jonathan Kamens wrote: Nearly two years after Alejandro Colomar reported this issue, the Debian installer is still giving people this bad advice: "A good password will contain a mixture of letters, numbers and punctuation and should be changed at regular intervals." Alejandro explained at length why this advice about what's /in/ the password is wrong, but he didn't address at all the other, perhaps even more significant reason why this is wrong: we now know, absolutely and unequivocally, that telling people to change their passwords regularly makes security worse rather than better. I understand that Debian may not be the most security-focused Linux distribution, but can we please move Debian forward into the 21st Century on this issue, at least, by updating the messaging in the installer to give better advice? Thank you.
