[Fedora-directory-users] enforce strong passwords

[Nathan Kinder]

Jo De Troy wrote:

> Hi Nathan, Richard,
>
> I was thinking along the lines of pam_passwdqc, well part of it.
> The password should contain at least 3 different character categories.
> The categories being: lowercase, uppercase, special characters and numbers

Yes, I'm working on implementing this.  The minimum number of categories 
would be configurable by the administrator.

> Not specifically a minumum number of uppercase/lowercase/...

I'm making this configurable too.  It'll be there, but you don't need to 
use it.

> Off course there should be no user data in the password, it should not 
> even contain the username as a substring. But I think that code is 
> already in CVS. It's checking for cn, givenname, surname, ... attributes

We currently check is the password is equal to uid, cn, sn, givenname, 
or ou.  We do not check if it's a substring.  I'm changing this behavior 
to check if it's a substring.

> A dictionarry check would be nice but I would maybe make this  optional.
> I guess that if we make the rules too stringent the enduser may complain

Default rules would be a minimum password length of 8 with a minimum of 
3 character categories.  It would also check the attribute values I 
mentioned above if thos values are 3 or more characters in length (this 
length would be configurable).

It sounds like this would meet your requirements.

-NGK

>
> Greetings,
> Jo
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>