Index: [Article Count Order] [Thread]

Date:  Sun, 11 May 2008 02:12:04 +0100
From:  Michael Stauber <bq (at mark)>
Subject:  [coba-e:12797] Re: brute force password guessing
To:  coba-e (at mark)
Message-Id:  < (at mark)>
In-Reply-To:  <178601c8b2f9$69e75bf0$6601a8c0@OfficeKen>
References:  <20080510203922.M90882 (at mark)> <178601c8b2f9$69e75bf0$6601a8c0 (at mark) OfficeKen>
X-Mail-Count: 12797

Hi Ken,

> It will not affect me since I do it automatically already, but  if I could
> make 2 suggestions for future BQ versions:
> 1. Do not allow the password to be "password" or to be the same as the
> username

Good point and easy to implement. I think I'll take it one step further: 

Remember the "Secure Passwords PKG" that I once had released several years 
ago? It used cracklib to check how secure passwords were upon user creation 
and/or password changes. If a password was based on a dictionary word or 
wasn't complex enough (length, upper + lower case + special characters), it 
would reject the password.

One of the reasons for pulling the PKG back then was: It was a bit too 
intrusive and eventually collided with official BlueQuartz updates, which 
overwrote some of the changes that this PKG made.  I'll see if I can dig out 
the old code, polish it a bit more and will then submit it as official update 
to the BlueQuartz SVN. That should solve the issue nicely.

> 2. Have userdirs disabled; make it hard for customers to enable userdirs,
> and harder to enable with php and cgi access for those userdirs.

Another good point. Same for FTP access. There should be a checkbox that 
allows to turn off FTP for an entire site or selected users of a particular 

Especially as turning off FTP for individual users is rather easy:

echo '<Limit>\nDenyAll\n</Limit>\n' > ~username/.ftpaccess

No promises on when that will be added to the BlueQuartz GUI, but I'll put it 
on the list as it'll be quite useful to have.

With best regards,

Michael Stauber