Topic: Impossible password policy

[yehaah]

How about adding the posibility "weak" to "none", "normal" and "strong".

"weak" could be the same password policy that is found in SME 6.0.1-01 and the word "weak" gives a signal to admins that they are dooing it at there own risk, and that you don't advise it.

I'm afraid that the other model, will end with +50% of future SME boxes ending up with "none" as the admins choice.

[calisun]

Good idea yehaah, adding a "weak" category is much better than choosing none   .
We never had any problems in the past with SME 6 password security.
I have never heard of anyones SME box geeting hacked from weak password. I have heard of boxes getting hacked because of modifications people did to their SME box   , but not passwords.

And in the past I had people tell me that if we allow weak passwords, cracking software can find password very quickly.
Like I metioned here before, some sort of "time out" feature would foil any cracking software   . If person enters password wrong 3 time in a row, have their account "time out" for 30, 60 or 90 seconds   .
And no, I have no idea how to implement that   , but I have seen it in action before. I believe that this can be implemented through PAM, which I believe is already part of SME.

http://www.linuxgeek.net/index.pl/authentication

[gordonr]

jerryh, your rant is understandable, this topic has been brought up many times before, but it seems like developers are not willing to see it through regular office users eyes.

I realise some people are finding the password policy too strong, but the developers are also on the security team, and we get to see the after-effects of people choosing "network", "password" and "111111" as passwords

Don't get me wrong, I believe developers are doing great job, but regular office users are not computer experts. If they try to use password they were able to use in the past, and they get an error message, they freak out. That creates hard feelings between office and IT department. Even office managers stand behind their emplayees, making IT department look bad, even if IT department can't do anything about it.
I am not saying to eliminate password checking, but I am sure there is a middle ground between security and user friendliness.

We are talking about the default password policy. We have provided simple instructions for changing that default. That can and should be in the FAQ. The IT and office managers who want weaker passwords can choose to have them. It is then a conscious act to reduce security - we as developers need to apply "best practice".

There is also a bug raised for adding a toggle to the server manager:

http://bugs.contribs.org/show_bug.cgi?id=34

If someone would like to provide patches to implement that bug, we'd be happy to look at them. But it is not the highest priority development task. If we didn't provide a method to change the default, that would be higher on the list. But not having it in the server-manager   isn't as important as smooth backup/restore, MySQL upgrades, etc.

Here's one way to generate passwords. I tend to use this and then save them in the client  setups (e.g. Thunderbird IMAP settings). The system has strong passwords and the user never needs to deal with them (obviously this is an issue for webmail):

Code: [Select]

#!/usr/bin/perl -w

use MIME::Base64;

open RANDOM, "/dev/random";

my $random;
read RANDOM, $random, 40;

print encode_base64($random);


[gordonr]

The funny bit is that its easier to make a password in "Strong" mode, than in "normal".

An example is "ohnonotagain" passes strong, but not normal )

At least 7 digits, that are uppercase AND lowecase AND non alphanumerical AND numbers is too much, but what it demands in normal mode.

That bug has been fixed in beta9:

http://bugs.contribs.org/show_bug.cgi?id=161

The bug tracker is the place to raise this sort of issue - strong should be stronger than normal, and it now is.

[gordonr]

Good idea yehaah, adding a "weak" category is much better than choosing none   .

What would "weak" enforce that "none" doesn't? You might as well not have passwords at all if you're using things like "abc" - they take moments for cracking tools to find. BTW: I agree than the name "weak" may be clearer, but I'm not in favour of adding extra support for trivial passwords.

We never had any problems in the past with SME 6 password security.
I have never heard of anyones SME box geeting hacked from weak password. I have heard of boxes getting hacked because of modifications people did to their SME box   , but not passwords.

I've seen quite a few over the years - turn on ssh with a weak password and wait.

[gordonr]

Hope my rant didn't upset anybody, on re-reading it came across as a bit abrupt, it might have something to do with the fact that I re-installed SME7, changed all the passwords and now nobody can access the ibays from the local network. However I do think the developers are doing a great job.

I can't speak for anyone else, but I'm not upset at all. We're trying to do the best we can with limited resources, which is why things like adding options to the server-manager might fall behind adding the base support for the feature.

I'm not sure if the admin password, being weaker than "normal", ie not iincluding upper case or special char, is a bug or not,  should I report it?

I reported it a few days ago (before I saw this posting):
http://bugs.contribs.org/show_bug.cgi?id=335

See also this bug, with some discussion about why it can  be useful to have a weak admin password during the setup phase:
http://bugs.contribs.org/show_bug.cgi?id=155

Yes, please report all issues to the bug tracker. It's really easy for us to close off non-issues or duplicate reports together. But searching through postings to find issues takes time.

[gordonr]

I had to try at least 6 passwords before finding one that it would accept, and even passwords like "icfabptw" (I Can't Find A Bloody Password That Works) were marked as not secure enough.

For the record, the "password mantra" I have used in teaching for over 10 years is:

Upper AND lower case AND digits AND special characters AND seven or more characters

[calisun]

gordonr wrote:
"You might as well not have passwords at all if you're using things like "abc" - they take moments for cracking tools to find."
"...turn on ssh with a weak password and wait."

I agree with you there, a lot of people don't use common sence when they choose passwords. They are ether too lazy or too stuck in their ways to change.  
But you must admit that even if you have worlds strongest password, that it would take 100 years for cracking tools to hack, just the fact that someone keeps knocking on your door is not very nice but it also takes up bandwith and server resources.  

That is why I would love to see account "time out". Enter password wrong 3 time in a row, account "times out" for 90 seconds. No chance for cracking software to find passwords.  
This is not a new idea, I have seen this implemented many places. Some places suspend the account, so you have to call admin to issue a new password. And some places have account "time out". I like "time out" better since it makes admins life easier.  

And if you really want to throw off hackers, have "time out" period different each time, so they can't calibrate their software for "time out" if each "time out" will be different length  

[gordonr]

That is why I would love to see account "time out". Enter password wrong 3 time in a row, account "times out" for 90 seconds. No chance for cracking software to find passwords.  

Sure - please raise it in the bug tracker. It's actually tricky, and may not be possible, as there are many places where passwords are entered, and not all of them provide the opportunity for any feedback.

[calisun]

Gordonr, are we not using PAM for authentication? If not, WHY NOT? I thought Red Hat uses PAM.
If we used PAM, people would be able to configure their systems to their liking without you having to listen to all these gripes about passwords. Plus with PAM, you make changes only in PAM modules, and everything is changed.

http://bartleby.omrf.org/doc/libpam-doc/sgml/pam.sgml.gz

Pam has many nice modules/features: you can force password expiration, you can limit how long a user is signed on (per day, wek, etc), you can also limit how many processes a user can run, plus much.. much more.

[gordonr]

Gordonr, are we not using PAM for authentication? If not, WHY NOT? I thought Red Hat uses PAM.

We are. However, getting the right configuration of PAM modules to work with Apache, Appletalk, Samba, SSH, FTP, etc. may not be as trivial as it seems. To the bug tracker, please.

[ejfowler]

Part of the trouble is that not everyone installing SME is an accomplished linux sysadmin. The development team has done such a good job that a trained monkey could install SME 7 on most hardware.

That's a great thing, until a newbie admin tries to set up a weak user password, like they used for the admin password during setup. When they do, they get an error explaining the password criteria. So they provide a password that has a mix of uppercase, lower case, numeric and punctuation characters. I used "Amanda1!" as a test case. And I received another error telling me my password was based on a dictionary word.

About this time, our hypothetical newbie admin is thoroughly frustrated, and ditches SME in favor of whatever Microsoft product they're familiar with.
Or worse yet, they stay with SME, but forget to reset the weak admin password they supplied at installation, so they get rooted by script kiddies, and wind up ditching Linux in favor of the "more secure" Windows platform.

I'm still of the opinion that there should be a password policy page in the panel, and that it should include an option for enforced password change intervals. This would help mitigate the risk of establishing a weak admin password during installation that never expires. And if I could write the code myself, I would.

[gordonr]

I'm still of the opinion that there should be a password policy page in the panel, and that it should include an option for enforced password change intervals. This would help mitigate the risk of establishing a weak admin password during installation that never expires. And if I could write the code myself, I would.

You are not the only one with this opinion, and I raised it as a bug some time back. What we're lacking is the resources to implement all of the good suggestions. If there are things which are not currently in the bug tracker, please raise them.

As I stated above, ensuring that MySQL upgrades work smoothly comes above providing a server-manager interface for something which can be changed with one command.

The other issues are also referenced above, with links to the bugs which are tracking those items.

[Ronicus]

Although some say the root user should have the same password rules applied to them i say that administrators are more aware of the implications of a compromised password and have calculated the risk before entering a less strong password, (not to be confused with a weak password)

[Tillebeck]

I am used to a standard Corporate Windows secure password policy saying that of upper case, lower case, special characters and numbers at least three must be present and the password must be at least 6 characters long. It is not far from beeing the same as the default password security setting in the SME7 but allows much more friendly passwords.

The most easy passwords would then be: Rain2day, Nice2have, Gift4you etc. etc.

In the SME7 environment they would be: R@in2day, Nice2h@ve or N!ce2have and G!ft4you.

That would be a good compromise for the "weak" password setting still do demand at least three of the four kinds of input and standard corporate windows users will not have to change the password policy (that I know of).

 --
I have earlier used the 5.6 and are now using the 6.0.1 with the smeplus.sh. It is excelent! I am really looking forward to get to use the SME7 in production as well