[Freeipa-users] Password Complexity Requirements Seems Insufficient

Simpson Lachlan Lachlan.Simpson at petermac.org
Wed Oct 12 22:24:53 UTC 2016 

> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of Bennett, Chip
> Sent: Thursday, 13 October 2016 7:21 AM
> To: Florence Blanc-Renaud; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
> Insufficient
> 
> Flo,
> 
> Thanks for getting back to me.  I had seen this in the documentation.   I was just
> hoping that I was missing something.   I guess I'm just surprised that a product
> designed to manage authentication wouldn't have a way to be more specific in the
> complexity requirements.


I don't know. Those type of complexity requirements are multifaceted, complex and somewhat arbitrary. Given that each then requires regex, I'm quite happy that the devs focus on getting other aspects of FreeIPA to work over password complexity. 

As xkcd noted a couple of years ago, password length is better for security than anything else. 

Complex arrangements of different character classes is neither human or UX friendly nor where contemporary security theory is focused - try 2FA, public/private keys, etc. While I understand that large organisations have policy that often drags well behind contemporary theory, I don't think it's fair to expect software to also allow for that.

Cheers
L.






> 
> Thanks again!
> Chip
> 
> -----Original Message-----
> From: Florence Blanc-Renaud [mailto:flo at redhat.com]
> Sent: Wednesday, October 12, 2016 3:18 PM
> To: Bennett, Chip <cbennett at ftdi.com>; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
> Insufficient
> 
> On 10/11/2016 07:36 PM, Bennett, Chip wrote:
> > I just joined this list, so if this question has been asked before
> > (and I'll bet it has), I apologize in advance.
> >
> >
> >
> > A google search was unrevealing, so I'm asking here: we're running
> > FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
> > complexity requirements are limited to setting the number of character
> > classes to require, i.e. setting it to "2" would require your new
> > password to be any two of the character classes.
> >
> >
> >
> > What if you wanted new passwords to meet specific class requirements,
> > i.e. a mix of UL, LC, and numbers.  It looks like you would use a
> > value of "3" to accomplish this, but that would also allow UC, LC, and
> > special, or LC, numbers, and special, but you don't want to allow the
> > those:  how would you specify that?
> >
> Hi,
> 
> as far as I know, it is only possible to specify the number of different character
> classes. The doc chapter "Creating Password Policies in the Web UI" [1] describes
> the following:
> ---
> Character classes sets the number of different categories of character that must be
> used in the password. This does not set which classes must be used; it sets the
> number of different (unspecified) classes which must be used in a password. For
> example, a character class can be a number, special character, or capital; the
> complete list of categories is in Table 22.1, "Password Policy Settings". This is part
> of setting the complexity requirements.
> ---
> 
> hope this clarifies,
> Flo
> 
> [1]
> https://access.redhat.com/documentation/en-
> US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.ht
> ml#creating-group-policy-ui
> 
> 
> >
> >
> > Also, what if you had a requirement for more than one of the character
> > classes, i.e. you want to require two UC characters or two special
> > characters?
> >
> >
> >
> > Thanks in advance for the help,
> >
> > Chip Bennett
> >
> >
> >
> >
> > This message is solely for the intended recipient(s) and may contain
> > confidential and privileged information. Any unauthorized review, use,
> > disclosure or distribution is prohibited.
> >
> >
> 
> 
> This message is solely for the intended recipient(s) and may contain confidential
> and privileged information.
> Any unauthorized review, use, disclosure or distribution is prohibited.
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.

More information about the Freeipa-users mailing list