NetBSD Problem Report #58877

From falsifian@falsifian.org  Thu Dec  5 22:57:55 2024
Return-Path: <falsifian@falsifian.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 2973D1A9238
	for <gnats-bugs@gnats.NetBSD.org>; Thu,  5 Dec 2024 22:57:55 +0000 (UTC)
Message-Id: <21T1GWIPUPJYP.2JHSU0YJC1AXJ@falsifian.org>
Date: Thu, 05 Dec 2024 21:11:10 +0000
From: James Cook <falsifian@falsifian.org>
To: gnats-bugs@NetBSD.org
Subject: passwd unnecessarily rejects lowercase passwords
X-Send-Pr-Version: 3.95

>Number:         58877
>Category:       bin
>Synopsis:       passwd unnecessarily rejects lowercase passwords
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Dec 05 23:00:00 +0000 2024
>Last-Modified:  Fri Dec 06 16:45:01 +0000 2024
>Originator:     =09
>Release:        NetBSD 10.0
>Organization:
James
>Environment:
System: NetBSD ucl.h.falsifian.org 10.0 NetBSD 10.0 (GENERIC) #0: Thu Mar 2=
8 08:33:33 UTC 2024 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/comp=
ile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
        I prefer to use a randomly-generated all-lowercase password.
        When I supply it to passwd, the session goes like this:

		$ passwd
		Changing password for falsifian.
		Old Password:
		New Password:
		Retype New Password:
		Please don't use an all-lower case password.
		Unusual capitalization, control characters or digits are suggested.
		New Password:
		Retype New Password:

        For me personally this "don't use an all lower-case password"
        rule is annoying and unhelpful. (12 randomly-generated
        characters is fairly secure IMO.)

        I guess the point is to encourage higher-entropy passwords,
        but I don't know that works.

	I brought this up on IRC and it was suggested I file a PR.

        (If the current behaviour is kept, at least the first "Retype
        New Password:" prompt should be skipped to save the user
        some time.)
>How-To-Repeat:
        Run the passwd command. Enter an all-lowercase password
        when prompted for a new password, and the same one again
        when prompted to retype.
>Fix:
	Just enter the all-lowercase password again after the nag.

>Release-Note:

>Audit-Trail:

From: James Cook <falsifian@falsifian.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/58877
Date: Fri, 06 Dec 2024 16:41:24 +0000

 It seems I messed up the Reply-To header. Please use this email
 address for replies to me.

 -- 
 James

>Unformatted:

Home	PR Database Search