Topic: Impossible password policy

[yehaah]

I've just installed SME Server 7 Beta8

Wow, you have sure made a lot of brilliant improvements!

There is one big problem though...

...password security!

Yes, it's an important thing, but in this case it's almost hysterical.

I had to try at least 6 passwords before finding one that it would accept, and even passwords like "icfabptw" (I Can't Find A Bloody Password That Works) were marked as not secure enough.

Password sercurity is important, but I'm afraid that this will kill of a lot of usability.

If I install 7b8 on our mailserver with 900+ adresses, and set people to change a password to one "of their on choice" I'd be lynched.
After helping them all to create a password they cant remember, I'd have to hire a man full time, resetting forgotten passwords.

Can this funktion be switched off, or can it be reduced to only demand 6 words, that are'nt in a dictionary?
Everything more than this will kill any posibility for getting accept from my users (and probably a few other admins users).

[byte]

Added to my notes from a post done here couple of weeks ago on "Relax Password Strength"...

/sbin/e-smith/db configuration setprop passwordstrength Users none

/sbin/e-smith/db configuration setprop passwordstrength Admin none

/sbin/e-smith/db configuration setprop passwordstrength Ibays none

[yehaah]

Added to my notes from a post done here couple of weeks ago on "Relax Password Strength"...

I'm glad that I'm not the only one that sees this at a problem.

/sbin/e-smith/db configuration setprop passwordstrength Users none

/sbin/e-smith/db configuration setprop passwordstrength Admin none

/sbin/e-smith/db configuration setprop passwordstrength Ibays none

Is this something I can use, if so how?


Sorry about the doublepost. The long time span between them is strange???

[RonM]

1cf@BPtw would have worked fine ;-)

Personally, if I was found to have ever given a single user a weak password that worked, I would not only be fired, I'd be escorted to my car while someone examined my things to see what I'd be allowed to take home. Fortunately, it would be nearly impossible to do.

Giving SME users access with a weak or nonexistent password is one thing (and risky enough), but allowing root or admin access in a commercial setting with any less than the strongest security possible is a dereliction of duty IMO. We have recently seen a cpl of instances where weak admin passwords have been guessed by someone out on the net, who proceeded to compromise the server/gateway.

I would advise you to make up a few scenarios of potential compromises (from within and without) together with an estimate of what each would cost. Don't neglect "opportunity costs" (the money they would have made) if applicable. Share these scenarios with the owners or senior managers of your org.

If they don't care, fine: it's their money. Most people will care, though. And when the bosses really care, and show it, you'll see that almost all workers are suddenly quite able to remember their passwords, and can deal with making strong ones. They are not complete idiots. Of course they'll still do stuff like tape the passwords on their monitors, or forget them every 3-day weekend, but you can work with that.

At least you would be working on securing your environment. When the compromise happens, you won't find yourself standing there saying "It was too hard to get them to accept strong passwords, so I didn't even try". :-(

Good Luck!
RonM

[yehaah]

Thank you for the warning. I agree with you, passwords should not be to week, and especially admin/root.

But the password security in 7b8 is higher than my users can accept.

How do i change the settings to normal eith those lines above?

Do I enter them as root, or do I need to add them to a file someware?

[yehaah]

On http://smeserver.sourceforge.net/sme70/FAQs?v=1d5g

They give to possibilities:

Users are complaining the password strength checking is too strong. How do I change it?
First a warning – Far too many systems out there have weak passwords and they *will* be broken into. Educating your users on the necessity of strong passwords is the best option. If that fails, here is how you change the password strength checking from 'strong' to 'normal', which was the setting in previous versions of SME. Be careful to use the exact capitalization.

*config setprop passwordstrength Users normal
*config setprop passwordstrength Ibays normal

It is also possible, but strongly discouraged, to disable password strength checking:

*config setprop passwordstrength Users none
*config setprop passwordstrength Ibays none

This issue was first reported here:
https://sourceforge.net/tracker/?func=detail&atid=615772&&aid=1228269&group_id=96750

I'd prefer the normal strength compared to the hysterical one.

But how do i change them?

[byte]

At the command line type as you see them so for example...

/sbin/e-smith/db configuration setprop passwordstrength Users normal

Hit return at end of the line and that change has now been done.[/code]

[yehaah]

Thank you.

I did as you asked, but it still complains:

The password you provided was not a good password. A good password must contain all of the following: upper case letter, lower case letter, number, non-alphanumeric character, be at least 7 characters long.

Isn't that still higher demands than those on 6.0.0-1?

I've rebooted to be sure that that wasn't needed but without any difference.

[yehaah]

Yup, it still won't accept those passwords that I can use in 6.0.1-01

Any ideas anyone?

[yehaah]

ROFL!

I have just tried all 3 posibilities to se if the reason was that there was no difference between them.

There is.
No password worked (in the 2 seconds it took to test and change it back to normal).

The funny bit is that its easier to make a password in "Strong" mode, than in "normal".

An example is "ohnonotagain" passes strong, but not normal )

At least 7 digits, that are uppercase AND lowecase AND non alphanumerical AND numbers is too much, but what it demands in normal mode.

[RonM]

There's an explanation from Gordon about it here:

http://no.longer.valid/phpwiki/index.php/SME%20Server%207%20password%20check%20and%20settings

[ejfowler]

It appears the 'normal' rules are stronger in most ways than the 'strong' rules. Of the three available levels, the only one most of my clients will be willing to follow is 'none', despite the obvious risks.  

Is there a way to adjust the 'normal' policy to something a little less stringent? Finer-grained control would be helpful.  

How about adding a server-manager panel that allows the administrator to build a password policy based on available security features such as length, case, punctuation, numerals, dictionary cross-reference, etc? Also, an expiration policy with enforced password changes would be useful when the server is used as a domain controller.  

I offer the above in the spirit of constructive criticism, and hope that it will help the developers understand the issue from the user's point of view. If I possessed the skill set to write the aforementioned server-manager panel, I'd do so. Unfortunately, programming's not my forte.

[jerryh]

've just installed SME Server 7 Beta9.

The password criteria on Beta 8 were stringent, but a reasonable balence between security and ease of use.
On Beta9 they  must include non alpha numeric  and both upper and lower case seems could be seen to be over the top in some instances.

There is a fundamental flaw in this "high level" criteria on user passwords.
It does not apply to the administration password, none of the extra requirements introduced in beta 9 apply to the admin password, kinda defeating the argument.

i would suggest it has now reached the point where in many systems there is a greater risk of a security breach caused by a user writing down a complicated password than somebody cracking a simpler one.

It should be down the the sytem administrator setting pasword criteria appropriate to the situation.

Rant over      

[jerryh]

Hope my rant didn't upset anybody, on re-reading it came across as a bit abrupt, it might have something to do with the fact that I re-installed SME7, changed all the passwords and now nobody can access the ibays from the local network. However I do think the developers are doing a great job.
On checking out

There's an explanation from Gordon about it here:

 etc.
I'm not sure if the admin password, being weaker than "normal", ie not iincluding upper case or special char, is a bug or not,  should I report it?

[calisun]

jerryh, your rant is understandable, this topic has been brought up many times before, but it seems like developers are not willing to see it through regular office users eyes. Don't get me wrong, I believe developers are doing great job, but regular office users are not computer experts. If they try to use password they were able to use in the past, and they get an error message, they freak out. That creates hard feelings between office and IT department. Even office managers stand behind their emplayees, making IT department look bad, even if IT department can't do anything about it.
I am not saying to eliminate password checking, but I am sure there is a middle ground between security and user friendliness.

see: (DON'T POST REPPLY ON SOURCEFORGE BUG LIST, IT IS CLOSED)

http://sourceforge.net/tracker/index.php?func=detail&aid=1281535&group_id=96750&atid=615772
or
http://bugs.contribs.org/show_bug.cgi?id=161
or
http://forums.contribs.org/index.php?topic=30037.0
or
http://bugs.contribs.org/show_bug.cgi?id=34