[Freeipa-users] Password Complexity Requirements Seems Insufficient

Florence Blanc-Renaud flo at redhat.com
Wed Oct 12 20:17:48 UTC 2016 

On 10/11/2016 07:36 PM, Bennett, Chip wrote:
> I just joined this list, so if this question has been asked before (and
> I’ll bet it has), I apologize in advance.
>
>
>
> A google search was unrevealing, so I’m asking here: we’re running
> FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
> complexity requirements are limited to setting the number of character
> classes to require, i.e. setting it to “2” would require your new
> password to be any two of the character classes.
>
>
>
> What if you wanted new passwords to meet specific class requirements,
> i.e. a mix of UL, LC, and numbers.  It looks like you would use a value
> of “3” to accomplish this, but that would also allow UC, LC, and
> special, or LC, numbers, and special, but you don’t want to allow the
> those:  how would you specify that?
>
Hi,

as far as I know, it is only possible to specify the number of different 
character classes. The doc chapter "Creating Password Policies in the 
Web UI" [1] describes the following:
---
Character classes sets the number of different categories of character 
that must be used in the password. This does not set which classes must 
be used; it sets the number of different (unspecified) classes which 
must be used in a password. For example, a character class can be a 
number, special character, or capital; the complete list of categories 
is in Table 22.1, “Password Policy Settings”. This is part of setting 
the complexity requirements.
---

hope this clarifies,
Flo

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.html#creating-group-policy-ui


>
>
> Also, what if you had a requirement for more than one of the character
> classes, i.e. you want to require two UC characters or two special
> characters?
>
>
>
> Thanks in advance for the help,
>
> Chip Bennett
>
>
>
>
> This message is solely for the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is prohibited.  ­­
>
>

More information about the Freeipa-users mailing list