The following reply was made to PR bin/10206; it has been noted by GNATS.

From: Elad Efrat <elad@NetBSD.org>
To: david@NetBSD.org
Cc: gnats-bugs@netbsd.org
Subject: re: security/10206
Date: Mon, 15 Aug 2005 21:00:03 +0300

 David,
 
 There are also plenty of PRs about system integrity, and we don't enable
 Veriexec by default. The way I see it, NetBSD should provide the tools
 for an admin to customize the security of her system the way she sees
 fit.
 
 This whole PR is based on the assumption that we are not doing anything
 to prevent brute-force password cracking.
 
 How many guesses does it take to pick a password? Should we be enforcing
 this for *all* users, even those who use NetBSD in environments where
 these concerns no longer hold?
 
 Unless you are taking measures to prevent an attacker from infinitely
 trying all password combinations, your password *will* be cracked. This
 is why many people use public keys, and why many admins care about
 rate-limiting login attempts; *this* is where we should aim if we want
 to have a take on solving this problem.
 
 IMHO, enforcing 10-char, upper/lower/digit/punctuation passwords is
 archaic. And given JtR allows you to specify possible password patterns,
 and the power of today's computers, and the ability to no transparent
 processing distribution, I don't see how any of the suggested in this
 patch solves the problem.
 
 -e.
 
 -- 
 Elad Efrat
 PGP Key ID: 0x666EB914