Index: [Article Count Order] [Thread]

Date:  Wed, 5 Nov 2008 01:21:52 +0100
From:  Michael Stauber <bq (at mark) solarspeed.net>
Subject:  [coba-e:14283] Re: Enforcing strong passwords
To:  coba-e (at mark) bluequartz.org
Message-Id:  <200811050121.53152.bq (at mark) solarspeed.net>
In-Reply-To:  <1225805637.13402.2.camel (at mark) columbus.webtent.org>
References:  <1225805637.13402.2.camel (at mark) columbus.webtent.org>
X-Mail-Count: 14283

Hi Robert,

> What is the best way to enforce strong passwords? I see Solarspeed.net
> has a free package to do this, would that be the best way to go?

That PKG is outdated and was pulled. However, the most recent and fully 
working code for it is in the BlueQuartz SVN (has been for several months 
now) and should be available "soon" from the BlueQuartz YUM repository.

It works like this:

Whenever a new user is created, or the password of an existing user is 
changed, then the password field will only accept the new password if:

- The password is long enough
- The password is complex enough
- The password is not based on a dictionary word

The "strength" of the password will be visible while you type it in, so you'll 
know if it'll be "good enough" before you hit "save".

Now of course this doesn't affect any users that are already on the server and 
still have weak passwords. Only if they change their passwords that problem 
will go away as well.

We haven't implemented any means (yet) to allow you to (optionally) "force" a 
password change. Like making an old password expire after a given amount of 
time. Technically that's easily possible on the Linux level, but that could 
turn into a support nightmare for some of you. Hence we didn't do that.

So once you have the new code, one suggested way is to send an email to your 
users, asking them kindly to change their passwords. That way all which do 
this will have much more secure passwords. 

-- 
With best regards,

Michael Stauber