Password diversity

[Andre Robatino]

Pierre-Yves Chibon <pingou at ...> writes:

> At the moment while checking if a password is valid FAS does not check
> how many characters are present.
> Thus it allows things like: "aaaaaaaaaaaaaaaaaaaa" as password.
> 
> One solution is of course checking how many different characters are
> present in the password and I have a quick patch which does that.
> However while discussing about this with Kevin and Toshio on IRC we did
> not find what would be an optimal number of character different in the
> password which would be:
> - high enough to make the password strong(er)
> - low enough so that in case of brute force the number of possibilities
> for each character added remain high.
> 
> So, do you have an opinion on the minimal amount of different characters
> a password should have ?

What about periodically running a password cracker on all the accounts, and
notifying anyone whose password is cracked by it that they need to change it
soon? I suspect that it's possible to choose weak passwords that satisfy any
fixed set of rules for password strength.

Also, when installing Fedora, and during firstboot, the chosen root and ordinary
user passwords are checked for password strength. How is that done?