Re: [Savannah-hackers-public] [savannah-help-public] [sr #108600] Registration b0rked

[Eric Noulard]

2014-06-26 23:35 GMT+02:00 Karl Berry <address@hidden>:

    - it's meant to support easy-to-remember https://xkcd.com/936/

In practice there are plenty of complaints about it and always have
been.  I don't find the cartoon especially convincing :).

    - last time we got a compromise (2010), the user had the encrypted
      passwords (through SQL injection), but he didn't get root.

I'd forgotten that.  It's a valid point.

+1
 

I think that the requirement on passwd are good.

May be we could just explain how to craft a password fullfilling the requirements

which does not imply a headache.

My usual favorite being to use the initial letter for each word of a phrase

(possibly long) an replace 'to' with '2'  or drop a '+' or '-' as separator and drop in

some number of space for punctuation.

This usually fullfil most of "strong" passwd requirement and do not

require a lot for remembering it.

Moroever if the passwd recovery process is efficient forgetting a passwd

is not that bad. I'm speaking of passwd for the average project user not

for sys admin of course.

My 2 c.:

Keep string requirement.

Give more advice about two 'create' strong passwd.

--
Erk
L'élection n'est pas la démocratie -- http://www.le-message.org