[Freeipa-users] Password Complexity Requirements Seems Insufficient

Wed Oct 12 23:53:11 UTC 2016

Unfortunately, policy and regulation often lag behind current theory by
several decades. For what it's worth, I'd second being able to set more
complicated policies as a useful feature.

On Oct 12, 2016 6:38 PM, "Simpson Lachlan" <Lachlan.Simpson at petermac.org>
wrote:

> > -----Original Message-----
> > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> > bounces at redhat.com] On Behalf Of Bennett, Chip
> > Sent: Thursday, 13 October 2016 7:21 AM
> > To: Florence Blanc-Renaud; freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
> > Insufficient
> >
> > Flo,
> >
> > Thanks for getting back to me.  I had seen this in the documentation.
>  I was just
> > hoping that I was missing something.   I guess I'm just surprised that a
> product
> > designed to manage authentication wouldn't have a way to be more
> specific in the
> > complexity requirements.
>
>
> I don't know. Those type of complexity requirements are multifaceted,
> complex and somewhat arbitrary. Given that each then requires regex, I'm
> quite happy that the devs focus on getting other aspects of FreeIPA to work
> over password complexity.
>
> As xkcd noted a couple of years ago, password length is better for
> security than anything else.
>
> Complex arrangements of different character classes is neither human or UX
> friendly nor where contemporary security theory is focused - try 2FA,
> public/private keys, etc. While I understand that large organisations have
> policy that often drags well behind contemporary theory, I don't think it's
> fair to expect software to also allow for that.
>
> Cheers
> L.
>
>
>
>
>
>
> >
> > Thanks again!
> > Chip
> >
> > -----Original Message-----
> > From: Florence Blanc-Renaud [mailto:flo at redhat.com]
> > Sent: Wednesday, October 12, 2016 3:18 PM
> > To: Bennett, Chip <cbennett at ftdi.com>; freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
> > Insufficient
> >
> > On 10/11/2016 07:36 PM, Bennett, Chip wrote:
> > > I just joined this list, so if this question has been asked before
> > > (and I'll bet it has), I apologize in advance.
> > >
> > >
> > >
> > > A google search was unrevealing, so I'm asking here: we're running
> > > FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
> > > complexity requirements are limited to setting the number of character
> > > classes to require, i.e. setting it to "2" would require your new
> > > password to be any two of the character classes.
> > >
> > >
> > >
> > > What if you wanted new passwords to meet specific class requirements,
> > > i.e. a mix of UL, LC, and numbers.  It looks like you would use a
> > > value of "3" to accomplish this, but that would also allow UC, LC, and
> > > special, or LC, numbers, and special, but you don't want to allow the
> > > those:  how would you specify that?
> > >
> > Hi,
> >
> > as far as I know, it is only possible to specify the number of different
> character
> > classes. The doc chapter "Creating Password Policies in the Web UI" [1]
> describes
> > the following:
> > ---
> > Character classes sets the number of different categories of character
> that must be
> > used in the password. This does not set which classes must be used; it
> sets the
> > number of different (unspecified) classes which must be used in a
> password. For
> > example, a character class can be a number, special character, or
> capital; the
> > complete list of categories is in Table 22.1, "Password Policy
> Settings". This is part
> > of setting the complexity requirements.
> > ---
> >
> > hope this clarifies,
> > Flo
> >
> > [1]
> > https://access.redhat.com/documentation/en-
> > US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_
> Authentication_and_
> > Policy_Guide/Setting_Different_Password_Policies_
> for_Different_User_Groups.ht
> > ml#creating-group-policy-ui
> >
> >
> > >
> > >
> > > Also, what if you had a requirement for more than one of the character
> > > classes, i.e. you want to require two UC characters or two special
> > > characters?
> > >
> > >
> > >
> > > Thanks in advance for the help,
> > >
> > > Chip Bennett
> > >
> > >
> > >
> > >
> > > This message is solely for the intended recipient(s) and may contain
> > > confidential and privileged information. Any unauthorized review, use,
> > > disclosure or distribution is prohibited.
> > >
> > >
> >
> >
> > This message is solely for the intended recipient(s) and may contain
> confidential
> > and privileged information.
> > Any unauthorized review, use, disclosure or distribution is prohibited.
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> This email (including any attachments or links) may contain
> confidential and/or legally privileged information and is
> intended only to be read or used by the addressee.  If you
> are not the intended addressee, any use, distribution,
> disclosure or copying of this email is strictly
> prohibited.
> Confidentiality and legal privilege attached to this email
> (including any attachments) are not waived or lost by
> reason of its mistaken delivery to you.
> If you have received this email in error, please delete it
> and notify us immediately by telephone or email.  Peter
> MacCallum Cancer Centre provides no guarantee that this
> transmission is free of virus or that it has not been
> intercepted or altered and will not be liable for any delay
> in its receipt.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161012/c8da3c75/attachment.htm>