Index: [Article Count Order] [Thread]

Date:  Sun, 11 May 2008 02:12:04 +0100
From:  Michael Stauber <bq (at mark) solarspeed.net>
Subject:  [coba-e:12797] Re: brute force password guessing
To:  coba-e (at mark) bluequartz.org
Message-Id:  <200805110312.04938.bq (at mark) solarspeed.net>
In-Reply-To:  <178601c8b2f9$69e75bf0$6601a8c0@OfficeKen>
References:  <20080510203922.M90882 (at mark) domain-nameit.net> <178601c8b2f9$69e75bf0$6601a8c0 (at mark) OfficeKen>
X-Mail-Count: 12797

Hi Ken,

> It will not affect me since I do it automatically already, but  if I could
> make 2 suggestions for future BQ versions:
>
> 1. Do not allow the password to be "password" or to be the same as the
> username

Good point and easy to implement. I think I'll take it one step further: 

Remember the "Secure Passwords PKG" that I once had released several years 
ago? It used cracklib to check how secure passwords were upon user creation 
and/or password changes. If a password was based on a dictionary word or 
wasn't complex enough (length, upper + lower case + special characters), it 
would reject the password.

One of the reasons for pulling the PKG back then was: It was a bit too 
intrusive and eventually collided with official BlueQuartz updates, which 
overwrote some of the changes that this PKG made.  I'll see if I can dig out 
the old code, polish it a bit more and will then submit it as official update 
to the BlueQuartz SVN. That should solve the issue nicely.

> 2. Have userdirs disabled; make it hard for customers to enable userdirs,
> and harder to enable with php and cgi access for those userdirs.

Another good point. Same for FTP access. There should be a checkbox that 
allows to turn off FTP for an entire site or selected users of a particular 
site.

Especially as turning off FTP for individual users is rather easy:

echo '<Limit>\nDenyAll\n</Limit>\n' > ~username/.ftpaccess

No promises on when that will be added to the BlueQuartz GUI, but I'll put it 
on the list as it'll be quite useful to have.

-- 
With best regards,

Michael Stauber