Hi Nathan, Richard, I was thinking along the lines of pam_passwdqc, well part of it. The password should contain at least 3 different character categories. The categories being: lowercase, uppercase, special characters and numbers Not specifically a minumum number of uppercase/lowercase/... Off course there should be no user data in the password, it should not even contain the username as a substring. But I think that code is already in CVS. It''s checking for cn, givenname, surname, ... attributes A dictionarry check would be nice but I would maybe make this optional. I guess that if we make the rules too stringent the enduser may complain Greetings, Jo
Richard Megginson
2006-Jan-19 22:01 UTC
Re: [Fedora-directory-users] enforce strong passwords
Jo De Troy wrote:> Hi Nathan, Richard, > > I was thinking along the lines of pam_passwdqc, well part of it. > The password should contain at least 3 different character categories. > The categories being: lowercase, uppercase, special characters and numbers > Not specifically a minumum number of uppercase/lowercase/... > Off course there should be no user data in the password, it should not > even contain the username as a substring. But I think that code is > already in CVS. It''s checking for cn, givenname, surname, ... attributes > A dictionarry check would be nice but I would maybe make this optional. > I guess that if we make the rules too stringent the enduser may complainThe goal would be to set up reasonable default values if the user decides to enforce strong passwords, then give them the knobs to turn up or down the strength.> > Greetings, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
Jo De Troy wrote:> Hi Nathan, Richard, > > I was thinking along the lines of pam_passwdqc, well part of it. > The password should contain at least 3 different character categories. > The categories being: lowercase, uppercase, special characters and numbersYes, I''m working on implementing this. The minimum number of categories would be configurable by the administrator.> Not specifically a minumum number of uppercase/lowercase/...I''m making this configurable too. It''ll be there, but you don''t need to use it.> Off course there should be no user data in the password, it should not > even contain the username as a substring. But I think that code is > already in CVS. It''s checking for cn, givenname, surname, ... attributesWe currently check is the password is equal to uid, cn, sn, givenname, or ou. We do not check if it''s a substring. I''m changing this behavior to check if it''s a substring.> A dictionarry check would be nice but I would maybe make this optional. > I guess that if we make the rules too stringent the enduser may complainDefault rules would be a minimum password length of 8 with a minimum of 3 character categories. It would also check the attribute values I mentioned above if thos values are 3 or more characters in length (this length would be configurable). It sounds like this would meet your requirements. -NGK> > Greetings, > Jo > >------------------------------------------------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >