On Tue, Feb 03, 2015 at 02:10:31PM -0600, Les Mikesell wrote: > I'd just rather see them applying their expertise to actually making > the code resist brute-force password attacks instead of stopping the > install until I pick a password that I'll have to write down because > they think it will take longer for the brute-force attack to succeed > against their weak code. Also, it isn't up to the *installer* to set up a system that resists brute-force password attacks. That's a job for the default configuration files in OpenSSH, GDM, KDM, and any other software product that reads the password database. All the installer can do is read in the plain-text password, check to make sure it passes a minimum policy, then crypt it and put it in the shadow file. There are certainly things that could change, like having the pam configuration have pam_faillock on by default. But I tend to think that having brute-force resistance *AND* slightly better password security should be the goal, not one to the exclusion of the other. -- Jonathan Billings <billings at negate.org>