On Mon, Jul 15, 2024 at 2:53 PM Jonathan Billings <billings@xxxxxxxxxx> wrote: > > > I wonder if anyone vets that information? > > Just check the references: > > https://static.open-scap.org/ssg-guides/ssg-fedora-guide-standard.html#xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs Sad. It is unfortunate Fedora is promulgating it. We've known it's a bad security practice since at least 2006. See "How often should you change your password?", <https://www.usenix.org/publications/login/december-2006-volume-31-number-6/how-often-should-you-change-your-password>. What happens in practice is, a user starts with a strong password. Then, over time as the user is grinded on, the password gets weaker and weaker until it meets minimum security requirements, like "P@ssword1" and "Blink 182." I'm at "Blink 206" on one of the sites that grinds on me. Jeff -- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
