Bug 264851
| Summary: | FreeBSD Handbook: Password Policy Enforcement: difficult to understand, or typo | ||
|---|---|---|---|
| Product: | Documentation | Reporter: | kodcode |
| Component: | Books & Articles | Assignee: | Sergio Carlavilla Delgado <carlavilla> |
| Status: | Closed Overcome By Events | ||
| Severity: | Affects Some People | CC: | carlavilla, doc, pauamma, zarychtam |
| Priority: | --- | Keywords: | needs-patch |
| Version: | Latest | ||
| Hardware: | Any | ||
| OS: | Any | ||
| URL: | https://github.com/freebsd/freebsd-doc/blob/main/documentation/content/en/books/handbook/security/_index.adoc#24-password-policy-enforcement | ||
| Bug Depends on: | |||
| Bug Blocks: | 263315 | ||
|
Description
kodcode
2022-06-23 15:53:30 UTC
Regardless of the length, passwords from these classes will not be accesteted. This is relatively clear, but the chapter doesn't cover the scenario when the password is expired and the user logs in to change it. Please compare: https://reviews.freebsd.org/D27656 Meeting a requirement has a positive meaning, as if "fulfilling a requirement". This sentence sounds positive and negative. (Meet a requirement -> not get accepted). Confusing. I am not a native English speaker, but I asked on freebsd.libera.org, and a native English speaker could also not make sense of this sentence. (In reply to kodcode from comment #0) > 14.2.4 <https://docs.freebsd.org/en/books/handbook/book/#security-pwpolicy> | <https://docs.freebsd.org/en/books/handbook/security/#security-pwpolicy> ---- > … using built-in Pluggable Authentication Modules (PAM). … Instead: > … using pluggable authentication modules (PAMs). … ---- > … the pam_passwdqc.so module. This module is enforced when a user > changes their password. … Instead: > … the pam_passwdqc.so module, which is enforced when a user > changes their password. > > pam_passwdqc(8) describes five classes of character, and other aspects of > password quality control. … ---- > This example sets several requirements for new passwords. The min setting > controls the minimum password length. It has five values because this > module defines five different types of passwords based on their > complexity. Complexity is defined by the type of characters that must > exist in a password, such as letters, numbers, symbols, and case. The > types of passwords are described in pam_passwdqc(8). In this example, > the first three types of passwords are disabled, meaning that passwords > that meet those complexity requirements will not be accepted, regardless > of their length. The 12 sets a minimum password policy of at least > twelve characters, if the password also contains characters with > three types of complexity. The 10 sets the password policy to also allow > passwords of at least ten characters, if the password contains characters > with four types of complexity. Too verbose, IMHO. Instead: > In the example above: > > * min sets values for types N0, N1, N2, N3 and N4 > > * types N0, N1 and N2 are disallowed > > * if three classes of character (N3) are used, then the word length must > be at least 12 > > * if four classes (N4) are used, then the word length must be at least 10. – something like that. The reader is directed, _before_ the example, to see the manual page that describes the N types. Thanks. Would "is in one of these complexity classes" or "belongs to one of these complexity classes" work better? (In reply to PauAmma from comment #4) Yes. Definitely! (Personally, I prefer "belongs...") (Graham's edit is very clear, too) I'm gonna close this PR as overcome by events. We upgraded the chapter in this commit: https://cgit.freebsd.org/doc/commit/?id=99333306 |
