Topic: Impossible password policy

[yehaah]

I've just installed SME Server 7 Beta8

Wow, you have sure made a lot of brilliant improvements!

There is one big problem though...

...password security!

Yes, it's an important thing, but in this case it's almost hysterical.

I had to try at least 6 passwords before finding one that it would accept, and even passwords like "icfabptw" (I Can't Find A Bloody Password That Works) were marked as not secure enough.

Password sercurity is important, but I'm afraid that this will kill of a lot of usability.

If I install 7b8 on our mailserver with 900+ adresses, and set people to change a password to one "of their on choice" I'd be lynched.
After helping them all to create a password they cant remember, I'd have to hire a man full time, resetting forgotten passwords.

Can this funktion be switched off, or can it be reduced to only demand 6 words, that are'nt in a dictionary?
Everything more than this will kill any posibility for getting accept from my users (and probably a few other admins users).

[byte]

Added to my notes from a post done here couple of weeks ago on "Relax Password Strength"...

/sbin/e-smith/db configuration setprop passwordstrength Users none

/sbin/e-smith/db configuration setprop passwordstrength Admin none

/sbin/e-smith/db configuration setprop passwordstrength Ibays none

[yehaah]

Added to my notes from a post done here couple of weeks ago on "Relax Password Strength"...

I'm glad that I'm not the only one that sees this at a problem.

/sbin/e-smith/db configuration setprop passwordstrength Users none

/sbin/e-smith/db configuration setprop passwordstrength Admin none

/sbin/e-smith/db configuration setprop passwordstrength Ibays none

Is this something I can use, if so how?


Sorry about the doublepost. The long time span between them is strange???

[RonM]

1cf@BPtw would have worked fine ;-)

Personally, if I was found to have ever given a single user a weak password that worked, I would not only be fired, I'd be escorted to my car while someone examined my things to see what I'd be allowed to take home. Fortunately, it would be nearly impossible to do.

Giving SME users access with a weak or nonexistent password is one thing (and risky enough), but allowing root or admin access in a commercial setting with any less than the strongest security possible is a dereliction of duty IMO. We have recently seen a cpl of instances where weak admin passwords have been guessed by someone out on the net, who proceeded to compromise the server/gateway.

I would advise you to make up a few scenarios of potential compromises (from within and without) together with an estimate of what each would cost. Don't neglect "opportunity costs" (the money they would have made) if applicable. Share these scenarios with the owners or senior managers of your org.

If they don't care, fine: it's their money. Most people will care, though. And when the bosses really care, and show it, you'll see that almost all workers are suddenly quite able to remember their passwords, and can deal with making strong ones. They are not complete idiots. Of course they'll still do stuff like tape the passwords on their monitors, or forget them every 3-day weekend, but you can work with that.

At least you would be working on securing your environment. When the compromise happens, you won't find yourself standing there saying "It was too hard to get them to accept strong passwords, so I didn't even try". :-(

Good Luck!
RonM

[yehaah]

Thank you for the warning. I agree with you, passwords should not be to week, and especially admin/root.

But the password security in 7b8 is higher than my users can accept.

How do i change the settings to normal eith those lines above?

Do I enter them as root, or do I need to add them to a file someware?

[yehaah]

On http://smeserver.sourceforge.net/sme70/FAQs?v=1d5g

They give to possibilities:

Users are complaining the password strength checking is too strong. How do I change it?
First a warning – Far too many systems out there have weak passwords and they *will* be broken into. Educating your users on the necessity of strong passwords is the best option. If that fails, here is how you change the password strength checking from 'strong' to 'normal', which was the setting in previous versions of SME. Be careful to use the exact capitalization.

*config setprop passwordstrength Users normal
*config setprop passwordstrength Ibays normal

It is also possible, but strongly discouraged, to disable password strength checking:

*config setprop passwordstrength Users none
*config setprop passwordstrength Ibays none

This issue was first reported here:
https://sourceforge.net/tracker/?func=detail&atid=615772&&aid=1228269&group_id=96750

I'd prefer the normal strength compared to the hysterical one.

But how do i change them?

[byte]

At the command line type as you see them so for example...

/sbin/e-smith/db configuration setprop passwordstrength Users normal

Hit return at end of the line and that change has now been done.[/code]

[yehaah]

Thank you.

I did as you asked, but it still complains:

The password you provided was not a good password. A good password must contain all of the following: upper case letter, lower case letter, number, non-alphanumeric character, be at least 7 characters long.

Isn't that still higher demands than those on 6.0.0-1?

I've rebooted to be sure that that wasn't needed but without any difference.

[yehaah]

Yup, it still won't accept those passwords that I can use in 6.0.1-01

Any ideas anyone?

[yehaah]

ROFL!

I have just tried all 3 posibilities to se if the reason was that there was no difference between them.

There is.
No password worked (in the 2 seconds it took to test and change it back to normal).

The funny bit is that its easier to make a password in "Strong" mode, than in "normal".

An example is "ohnonotagain" passes strong, but not normal )

At least 7 digits, that are uppercase AND lowecase AND non alphanumerical AND numbers is too much, but what it demands in normal mode.

[RonM]

There's an explanation from Gordon about it here:

http://no.longer.valid/phpwiki/index.php/SME%20Server%207%20password%20check%20and%20settings

[ejfowler]

It appears the 'normal' rules are stronger in most ways than the 'strong' rules. Of the three available levels, the only one most of my clients will be willing to follow is 'none', despite the obvious risks.  

Is there a way to adjust the 'normal' policy to something a little less stringent? Finer-grained control would be helpful.  

How about adding a server-manager panel that allows the administrator to build a password policy based on available security features such as length, case, punctuation, numerals, dictionary cross-reference, etc? Also, an expiration policy with enforced password changes would be useful when the server is used as a domain controller.  

I offer the above in the spirit of constructive criticism, and hope that it will help the developers understand the issue from the user's point of view. If I possessed the skill set to write the aforementioned server-manager panel, I'd do so. Unfortunately, programming's not my forte.

[jerryh]

've just installed SME Server 7 Beta9.

The password criteria on Beta 8 were stringent, but a reasonable balence between security and ease of use.
On Beta9 they  must include non alpha numeric  and both upper and lower case seems could be seen to be over the top in some instances.

There is a fundamental flaw in this "high level" criteria on user passwords.
It does not apply to the administration password, none of the extra requirements introduced in beta 9 apply to the admin password, kinda defeating the argument.

i would suggest it has now reached the point where in many systems there is a greater risk of a security breach caused by a user writing down a complicated password than somebody cracking a simpler one.

It should be down the the sytem administrator setting pasword criteria appropriate to the situation.

Rant over      

[jerryh]

Hope my rant didn't upset anybody, on re-reading it came across as a bit abrupt, it might have something to do with the fact that I re-installed SME7, changed all the passwords and now nobody can access the ibays from the local network. However I do think the developers are doing a great job.
On checking out

There's an explanation from Gordon about it here:

 etc.
I'm not sure if the admin password, being weaker than "normal", ie not iincluding upper case or special char, is a bug or not,  should I report it?

[calisun]

jerryh, your rant is understandable, this topic has been brought up many times before, but it seems like developers are not willing to see it through regular office users eyes. Don't get me wrong, I believe developers are doing great job, but regular office users are not computer experts. If they try to use password they were able to use in the past, and they get an error message, they freak out. That creates hard feelings between office and IT department. Even office managers stand behind their emplayees, making IT department look bad, even if IT department can't do anything about it.
I am not saying to eliminate password checking, but I am sure there is a middle ground between security and user friendliness.

see: (DON'T POST REPPLY ON SOURCEFORGE BUG LIST, IT IS CLOSED)

http://sourceforge.net/tracker/index.php?func=detail&aid=1281535&group_id=96750&atid=615772
or
http://bugs.contribs.org/show_bug.cgi?id=161
or
http://forums.contribs.org/index.php?topic=30037.0
or
http://bugs.contribs.org/show_bug.cgi?id=34

[yehaah]

How about adding the posibility "weak" to "none", "normal" and "strong".

"weak" could be the same password policy that is found in SME 6.0.1-01 and the word "weak" gives a signal to admins that they are dooing it at there own risk, and that you don't advise it.

I'm afraid that the other model, will end with +50% of future SME boxes ending up with "none" as the admins choice.

[calisun]

Good idea yehaah, adding a "weak" category is much better than choosing none   .
We never had any problems in the past with SME 6 password security.
I have never heard of anyones SME box geeting hacked from weak password. I have heard of boxes getting hacked because of modifications people did to their SME box   , but not passwords.

And in the past I had people tell me that if we allow weak passwords, cracking software can find password very quickly.
Like I metioned here before, some sort of "time out" feature would foil any cracking software   . If person enters password wrong 3 time in a row, have their account "time out" for 30, 60 or 90 seconds   .
And no, I have no idea how to implement that   , but I have seen it in action before. I believe that this can be implemented through PAM, which I believe is already part of SME.

http://www.linuxgeek.net/index.pl/authentication

[gordonr]

jerryh, your rant is understandable, this topic has been brought up many times before, but it seems like developers are not willing to see it through regular office users eyes.

I realise some people are finding the password policy too strong, but the developers are also on the security team, and we get to see the after-effects of people choosing "network", "password" and "111111" as passwords

Don't get me wrong, I believe developers are doing great job, but regular office users are not computer experts. If they try to use password they were able to use in the past, and they get an error message, they freak out. That creates hard feelings between office and IT department. Even office managers stand behind their emplayees, making IT department look bad, even if IT department can't do anything about it.
I am not saying to eliminate password checking, but I am sure there is a middle ground between security and user friendliness.

We are talking about the default password policy. We have provided simple instructions for changing that default. That can and should be in the FAQ. The IT and office managers who want weaker passwords can choose to have them. It is then a conscious act to reduce security - we as developers need to apply "best practice".

There is also a bug raised for adding a toggle to the server manager:

http://bugs.contribs.org/show_bug.cgi?id=34

If someone would like to provide patches to implement that bug, we'd be happy to look at them. But it is not the highest priority development task. If we didn't provide a method to change the default, that would be higher on the list. But not having it in the server-manager   isn't as important as smooth backup/restore, MySQL upgrades, etc.

Here's one way to generate passwords. I tend to use this and then save them in the client  setups (e.g. Thunderbird IMAP settings). The system has strong passwords and the user never needs to deal with them (obviously this is an issue for webmail):

Code: [Select]

#!/usr/bin/perl -w

use MIME::Base64;

open RANDOM, "/dev/random";

my $random;
read RANDOM, $random, 40;

print encode_base64($random);


[gordonr]

The funny bit is that its easier to make a password in "Strong" mode, than in "normal".

An example is "ohnonotagain" passes strong, but not normal )

At least 7 digits, that are uppercase AND lowecase AND non alphanumerical AND numbers is too much, but what it demands in normal mode.

That bug has been fixed in beta9:

http://bugs.contribs.org/show_bug.cgi?id=161

The bug tracker is the place to raise this sort of issue - strong should be stronger than normal, and it now is.

[gordonr]

Good idea yehaah, adding a "weak" category is much better than choosing none   .

What would "weak" enforce that "none" doesn't? You might as well not have passwords at all if you're using things like "abc" - they take moments for cracking tools to find. BTW: I agree than the name "weak" may be clearer, but I'm not in favour of adding extra support for trivial passwords.

We never had any problems in the past with SME 6 password security.
I have never heard of anyones SME box geeting hacked from weak password. I have heard of boxes getting hacked because of modifications people did to their SME box   , but not passwords.

I've seen quite a few over the years - turn on ssh with a weak password and wait.

[gordonr]

Hope my rant didn't upset anybody, on re-reading it came across as a bit abrupt, it might have something to do with the fact that I re-installed SME7, changed all the passwords and now nobody can access the ibays from the local network. However I do think the developers are doing a great job.

I can't speak for anyone else, but I'm not upset at all. We're trying to do the best we can with limited resources, which is why things like adding options to the server-manager might fall behind adding the base support for the feature.

I'm not sure if the admin password, being weaker than "normal", ie not iincluding upper case or special char, is a bug or not,  should I report it?

I reported it a few days ago (before I saw this posting):
http://bugs.contribs.org/show_bug.cgi?id=335

See also this bug, with some discussion about why it can  be useful to have a weak admin password during the setup phase:
http://bugs.contribs.org/show_bug.cgi?id=155

Yes, please report all issues to the bug tracker. It's really easy for us to close off non-issues or duplicate reports together. But searching through postings to find issues takes time.

[gordonr]

I had to try at least 6 passwords before finding one that it would accept, and even passwords like "icfabptw" (I Can't Find A Bloody Password That Works) were marked as not secure enough.

For the record, the "password mantra" I have used in teaching for over 10 years is:

Upper AND lower case AND digits AND special characters AND seven or more characters

[calisun]

gordonr wrote:
"You might as well not have passwords at all if you're using things like "abc" - they take moments for cracking tools to find."
"...turn on ssh with a weak password and wait."

I agree with you there, a lot of people don't use common sence when they choose passwords. They are ether too lazy or too stuck in their ways to change.  
But you must admit that even if you have worlds strongest password, that it would take 100 years for cracking tools to hack, just the fact that someone keeps knocking on your door is not very nice but it also takes up bandwith and server resources.  

That is why I would love to see account "time out". Enter password wrong 3 time in a row, account "times out" for 90 seconds. No chance for cracking software to find passwords.  
This is not a new idea, I have seen this implemented many places. Some places suspend the account, so you have to call admin to issue a new password. And some places have account "time out". I like "time out" better since it makes admins life easier.  

And if you really want to throw off hackers, have "time out" period different each time, so they can't calibrate their software for "time out" if each "time out" will be different length  

[gordonr]

That is why I would love to see account "time out". Enter password wrong 3 time in a row, account "times out" for 90 seconds. No chance for cracking software to find passwords.  

Sure - please raise it in the bug tracker. It's actually tricky, and may not be possible, as there are many places where passwords are entered, and not all of them provide the opportunity for any feedback.

[calisun]

Gordonr, are we not using PAM for authentication? If not, WHY NOT? I thought Red Hat uses PAM.
If we used PAM, people would be able to configure their systems to their liking without you having to listen to all these gripes about passwords. Plus with PAM, you make changes only in PAM modules, and everything is changed.

http://bartleby.omrf.org/doc/libpam-doc/sgml/pam.sgml.gz

Pam has many nice modules/features: you can force password expiration, you can limit how long a user is signed on (per day, wek, etc), you can also limit how many processes a user can run, plus much.. much more.

[gordonr]

Gordonr, are we not using PAM for authentication? If not, WHY NOT? I thought Red Hat uses PAM.

We are. However, getting the right configuration of PAM modules to work with Apache, Appletalk, Samba, SSH, FTP, etc. may not be as trivial as it seems. To the bug tracker, please.

[ejfowler]

Part of the trouble is that not everyone installing SME is an accomplished linux sysadmin. The development team has done such a good job that a trained monkey could install SME 7 on most hardware.

That's a great thing, until a newbie admin tries to set up a weak user password, like they used for the admin password during setup. When they do, they get an error explaining the password criteria. So they provide a password that has a mix of uppercase, lower case, numeric and punctuation characters. I used "Amanda1!" as a test case. And I received another error telling me my password was based on a dictionary word.

About this time, our hypothetical newbie admin is thoroughly frustrated, and ditches SME in favor of whatever Microsoft product they're familiar with.
Or worse yet, they stay with SME, but forget to reset the weak admin password they supplied at installation, so they get rooted by script kiddies, and wind up ditching Linux in favor of the "more secure" Windows platform.

I'm still of the opinion that there should be a password policy page in the panel, and that it should include an option for enforced password change intervals. This would help mitigate the risk of establishing a weak admin password during installation that never expires. And if I could write the code myself, I would.

[gordonr]

I'm still of the opinion that there should be a password policy page in the panel, and that it should include an option for enforced password change intervals. This would help mitigate the risk of establishing a weak admin password during installation that never expires. And if I could write the code myself, I would.

You are not the only one with this opinion, and I raised it as a bug some time back. What we're lacking is the resources to implement all of the good suggestions. If there are things which are not currently in the bug tracker, please raise them.

As I stated above, ensuring that MySQL upgrades work smoothly comes above providing a server-manager interface for something which can be changed with one command.

The other issues are also referenced above, with links to the bugs which are tracking those items.

[Ronicus]

Although some say the root user should have the same password rules applied to them i say that administrators are more aware of the implications of a compromised password and have calculated the risk before entering a less strong password, (not to be confused with a weak password)

[Tillebeck]

I am used to a standard Corporate Windows secure password policy saying that of upper case, lower case, special characters and numbers at least three must be present and the password must be at least 6 characters long. It is not far from beeing the same as the default password security setting in the SME7 but allows much more friendly passwords.

The most easy passwords would then be: Rain2day, Nice2have, Gift4you etc. etc.

In the SME7 environment they would be: R@in2day, Nice2h@ve or N!ce2have and G!ft4you.

That would be a good compromise for the "weak" password setting still do demand at least three of the four kinds of input and standard corporate windows users will not have to change the password policy (that I know of).

 --
I have earlier used the 5.6 and are now using the 6.0.1 with the smeplus.sh. It is excelent! I am really looking forward to get to use the SME7 in production as well

[dscarbrough]

I have tens of clients with ibays that 1.) are not terribly tech-savvy and 2.) have little time for the frustration of mind-bending passwords.  I prefer SME 6.01 where I could set up ibays for them to review media with a simple "login=myibayname" and "pwd='clientview'"  Secure enuf for a constantly changing ibay, I say.