The default pam configuration of Gentoo is too much permissive on the choice of the passwords. *ok! pam syntax is really strange in this case* With the line: password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=2 ocredit=2 in /etc/pam.d/system-auth, we impose the passwd minlen at 8 charaters but with extra credit of 2 for digits and 2 for others. The result is that a 6 characters passwd as "12345a" is considered good. A better configuration could be: password required pam_cracklib.so difok=3 retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 (password with a minimum length of 8 and with at least 1 digit number, 1 upper case letter, and 1 other character) OR password required pam_cracklib.so difok=3 retry=3 dcredit=-1 ocredit=-1 minlen=8 (password with a minimum length of 8 and with at least 1 digit number and 1 other character) On my system: sys-libs/pam-0.78-r3 +berkdb -nis -pam_chroot -pam_console -pam_timestamp -pwdb (-selinux) sys-apps/pam-login-4.0.14 -livecd -nls (-selinux) -skey sys-libs/cracklib-2.8.5-r1 -nls -python see also: Bug 129981 - Gentoo Security Handbook - PAM configuration
I suppose this mostly requires to decide what gentoo is targetted for. For an average desktop system, the default password length sounds fine, of course it's not fine for a networked system.
Imposing draconian password restricitions is pointless and annoying, the more confusing you force users to make their passwords, the more likely they are to have to write them down on post-its stuck to the monitor. I think the defaults are fine, and as you've pointed out, easily changed if necessary.
agreed
(In reply to comment #2) > Imposing draconian password restricitions is pointless and annoying, the more > confusing you force users to make their passwords, the more likely they are to > have to write them down on post-its stuck to the monitor. > > I think the defaults are fine, and as you've pointed out, easily changed if > necessary. > I agree with you about the fact that to impose policies too much restrictive is not a good choice... but I think that the actual default conf is too much permissive. I think that a proposal like (for example): password required pam_cracklib.so difok=3 retry=3 dcredit=-1 minlen=8 is a good compromise and it sounds better for all. Passwdords are at least 8 chars and contain at minimum of 1 digit...not so draconian for users. But, if you are happy about the default passwd behavior the problem doesn't exist!
So, what's security team's word about this?
I tend to like the config Daniele proposed, but I also agree that forcing users to use strict passwords might backfire. What about adding a warning in the ebuild that the default config might be too permissive together with instructions how to make it more secure?
Marking WONTFIX, we've decided that the defaults are fine, and the settings can be modified by users as local policies dictate.
