[Freeipa-users] Password Complexity Requirements Seems Insufficient

Bennett, Chip cbennett at ftdi.com
Wed Oct 12 20:21:26 UTC 2016 

Flo,

Thanks for getting back to me.  I had seen this in the documentation.   I was just hoping that I was missing something.   I guess I'm just surprised that a product designed to manage authentication wouldn't have a way to be more specific in the complexity requirements.

Thanks again!
Chip

-----Original Message-----
From: Florence Blanc-Renaud [mailto:flo at redhat.com] 
Sent: Wednesday, October 12, 2016 3:18 PM
To: Bennett, Chip <cbennett at ftdi.com>; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient

On 10/11/2016 07:36 PM, Bennett, Chip wrote:
> I just joined this list, so if this question has been asked before 
> (and I'll bet it has), I apologize in advance.
>
>
>
> A google search was unrevealing, so I'm asking here: we're running
> FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
> complexity requirements are limited to setting the number of character 
> classes to require, i.e. setting it to "2" would require your new 
> password to be any two of the character classes.
>
>
>
> What if you wanted new passwords to meet specific class requirements, 
> i.e. a mix of UL, LC, and numbers.  It looks like you would use a 
> value of "3" to accomplish this, but that would also allow UC, LC, and 
> special, or LC, numbers, and special, but you don't want to allow the
> those:  how would you specify that?
>
Hi,

as far as I know, it is only possible to specify the number of different character classes. The doc chapter "Creating Password Policies in the Web UI" [1] describes the following:
---
Character classes sets the number of different categories of character that must be used in the password. This does not set which classes must be used; it sets the number of different (unspecified) classes which must be used in a password. For example, a character class can be a number, special character, or capital; the complete list of categories is in Table 22.1, "Password Policy Settings". This is part of setting the complexity requirements.
---

hope this clarifies,
Flo

[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.html#creating-group-policy-ui


>
>
> Also, what if you had a requirement for more than one of the character
> classes, i.e. you want to require two UC characters or two special
> characters?
>
>
>
> Thanks in advance for the help,
>
> Chip Bennett
>
>
>
>
> This message is solely for the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is prohibited.  
>
>


This message is solely for the intended recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.

More information about the Freeipa-users mailing list