[Freeipa-users] Password Complexity Requirements Seems Insufficient

Ernedin Zajko ezajko at root.ba
Thu Oct 13 02:32:22 UTC 2016 

Hi Anton,

maybe you can "talk" directly to ds:
http://directory.fedoraproject.org/docs/389ds/FAQ/password-syntax.html
regards,

--- Ernedin ZAJKO
 ezajko at root.ba

> 340282366920938463463374607431768211456



On Thu, Oct 13, 2016 at 1:53 AM, Anon Lister <listeranon at gmail.com> wrote:
> Unfortunately, policy and regulation often lag behind current theory by
> several decades. For what it's worth, I'd second being able to set more
> complicated policies as a useful feature.
>
>
> On Oct 12, 2016 6:38 PM, "Simpson Lachlan" <Lachlan.Simpson at petermac.org>
> wrote:
>>
>> > -----Original Message-----
>> > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>> > bounces at redhat.com] On Behalf Of Bennett, Chip
>> > Sent: Thursday, 13 October 2016 7:21 AM
>> > To: Florence Blanc-Renaud; freeipa-users at redhat.com
>> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
>> > Insufficient
>> >
>> > Flo,
>> >
>> > Thanks for getting back to me.  I had seen this in the documentation.
>> > I was just
>> > hoping that I was missing something.   I guess I'm just surprised that a
>> > product
>> > designed to manage authentication wouldn't have a way to be more
>> > specific in the
>> > complexity requirements.
>>
>>
>> I don't know. Those type of complexity requirements are multifaceted,
>> complex and somewhat arbitrary. Given that each then requires regex, I'm
>> quite happy that the devs focus on getting other aspects of FreeIPA to work
>> over password complexity.
>>
>> As xkcd noted a couple of years ago, password length is better for
>> security than anything else.
>>
>> Complex arrangements of different character classes is neither human or UX
>> friendly nor where contemporary security theory is focused - try 2FA,
>> public/private keys, etc. While I understand that large organisations have
>> policy that often drags well behind contemporary theory, I don't think it's
>> fair to expect software to also allow for that.
>>
>> Cheers
>> L.
>>
>>
>>
>>
>>
>>
>> >
>> > Thanks again!
>> > Chip
>> >
>> > -----Original Message-----
>> > From: Florence Blanc-Renaud [mailto:flo at redhat.com]
>> > Sent: Wednesday, October 12, 2016 3:18 PM
>> > To: Bennett, Chip <cbennett at ftdi.com>; freeipa-users at redhat.com
>> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
>> > Insufficient
>> >
>> > On 10/11/2016 07:36 PM, Bennett, Chip wrote:
>> > > I just joined this list, so if this question has been asked before
>> > > (and I'll bet it has), I apologize in advance.
>> > >
>> > >
>> > >
>> > > A google search was unrevealing, so I'm asking here: we're running
>> > > FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
>> > > complexity requirements are limited to setting the number of character
>> > > classes to require, i.e. setting it to "2" would require your new
>> > > password to be any two of the character classes.
>> > >
>> > >
>> > >
>> > > What if you wanted new passwords to meet specific class requirements,
>> > > i.e. a mix of UL, LC, and numbers.  It looks like you would use a
>> > > value of "3" to accomplish this, but that would also allow UC, LC, and
>> > > special, or LC, numbers, and special, but you don't want to allow the
>> > > those:  how would you specify that?
>> > >
>> > Hi,
>> >
>> > as far as I know, it is only possible to specify the number of different
>> > character
>> > classes. The doc chapter "Creating Password Policies in the Web UI" [1]
>> > describes
>> > the following:
>> > ---
>> > Character classes sets the number of different categories of character
>> > that must be
>> > used in the password. This does not set which classes must be used; it
>> > sets the
>> > number of different (unspecified) classes which must be used in a
>> > password. For
>> > example, a character class can be a number, special character, or
>> > capital; the
>> > complete list of categories is in Table 22.1, "Password Policy
>> > Settings". This is part
>> > of setting the complexity requirements.
>> > ---
>> >
>> > hope this clarifies,
>> > Flo
>> >
>> > [1]
>> > https://access.redhat.com/documentation/en-
>> >
>> > US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> >
>> > Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.ht
>> > ml#creating-group-policy-ui
>> >
>> >
>> > >
>> > >
>> > > Also, what if you had a requirement for more than one of the character
>> > > classes, i.e. you want to require two UC characters or two special
>> > > characters?
>> > >
>> > >
>> > >
>> > > Thanks in advance for the help,
>> > >
>> > > Chip Bennett
>> > >
>> > >
>> > >
>> > >
>> > > This message is solely for the intended recipient(s) and may contain
>> > > confidential and privileged information. Any unauthorized review, use,
>> > > disclosure or distribution is prohibited.
>> > >
>> > >
>> >
>> >
>> > This message is solely for the intended recipient(s) and may contain
>> > confidential
>> > and privileged information.
>> > Any unauthorized review, use, disclosure or distribution is prohibited.
>> >
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project
>> This email (including any attachments or links) may contain
>> confidential and/or legally privileged information and is
>> intended only to be read or used by the addressee.  If you
>> are not the intended addressee, any use, distribution,
>> disclosure or copying of this email is strictly
>> prohibited.
>> Confidentiality and legal privilege attached to this email
>> (including any attachments) are not waived or lost by
>> reason of its mistaken delivery to you.
>> If you have received this email in error, please delete it
>> and notify us immediately by telephone or email.  Peter
>> MacCallum Cancer Centre provides no guarantee that this
>> transmission is free of virus or that it has not been
>> intercepted or altered and will not be liable for any delay
>> in its receipt.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list