Topic: Reducing password complexity requirements?

[thymox]

Hi all,

Is there a way that I can reduce the complexity requirements for user account password?

I know it's a potential "security issue" having simple passwords, but let's face it... complex passwords get written down anyway!

Cheers.
Grant.

[Stefano]

Thymox,

please search the forums and the wiki.. this question has ben posted thousands times..

Thank you

Ciao
Stefano

[cactus]

please search the forums and the wiki..

Or go directly here: http://wiki.contribs.org/SME_Server:Documentation:FAQ#Password_Strength_Checking

This does not mean that there are no rules for passwords as a minimal length (I believe 7 characters is required even at the lowest level of password strength.

[Stefano]

I believe 7 characters is required even at the lowest level of password strength.

yes, 7 chars are the minimum requirement

Ciao
Stefano

[p-jones]

yes, 7 chars are the minimum requirement

And that is new to V7.4

please search the forums and the wiki.. this question has ben posted thousands times..

Doesnt quite cut it...

[cactus]

And that is new to V7.4

Nope, as far as I know this has been so at least for the whole 7.x tree.

[Stefano]

And that is new to V7.4

no.. AFAIR it's so since 7.1

Doesnt quite cut it...

since I don't understand what you mean here, could you please explain? thank you

Ciao
Stefano

[p-jones]

no.. AFAIR it's so since 7.1

Nope , all my people who were on weak passwords of <7 characters had to deal to them with after the 7.4 update and make them 7 characters or more.

since I don't understand what you mean here, could you please explain? thank you

I think you have a quick key for search the forums as I notice you use it so much. It not a particularly helpful response, especially to a newbie who does search the forums and is presented with an information overload or doesnt understand what they are reading or just needs a bit of guidance and reassurance to get them on the right track. A link to a starting point is more useful, or no response at all.
Point in case, anyone who had read the part of the manual several months ago (prior to 7.4) and not read it since would have been unaware of the 7 character requirement.

[Stefano]

Nope , all my people who were on weak passwords of <7 characters had to deal to them with after the 7.4 update and make them 7 characters or more.

you have to "upgrade" your password only if you change it.. I have many servers (upgraded from 6.X) with passwords of 5,6 chars, working flawlessy..
 

I think you have a quick key for search the forums as I notice you use it so much. It not a particularly helpful response, especially to a newbie who does search the forums and is presented with an information overload or doesnt understand what they are reading or just needs a bit of guidance and reassurance to get them on the right track. A link to a starting point is more useful, or no response at all.
Point in case, anyone who had read the part of the manual several months ago (prior to 7.4) and not read it since would have been unaware of the 7 character requirement.

try to click on "search" link above.. input "password length" and go.. is it so difficult?
IMHO many users of this forum are simply too lazy

Ciao
Stefano

[p-jones]

you have to "upgrade" your password only if you change it.. I have many servers (upgraded from 6.X) with passwords of 5,6 chars, working flawlessy..

OK, but if you are on a 30 or 42 day password cycle, which IMHO one should be if they are going to use weak passwords, or you add a new user, that password must be 7 characters or more. The 7 character rule was only enforced in V7.4, my original point. Prior to 7.4 it could be any length. The smallest I had tried was 4

[elmarconi]

/usr/lib/perl5/site_perl/CGI/FormMagick/Validator/Network.pm and
and
/usr/lib/perl5/site_perl/esmith/FormMagick.pm

Search for: length($_) > 6 and length($pass) > 6

Change 6 to value required. 

Will not survive updates!

[Stefano]

/usr/lib/perl5/site_perl/CGI/FormMagick/Validator/Network.pm and
and
/usr/lib/perl5/site_perl/esmith/FormMagick.pm

Search for: length($_) > 6 and length($pass) > 6

Change 6 to value required. 

Will not survive updates!

this kind of hack should not be posted here IMO..
- because it si dis-educative
- because it will not survive to update
- because modifying core libraries without knowing what are you doing could be dangerous

Stefano

[elmarconi]

this kind of hack should not be posted here IMO..
- because it si dis-educative
- because it will not survive to update
- because modifying core libraries without knowing what are you doing could be dangerous

Both yes and no. I have a load of user since e-smith 4.12.
Lots of them use 6-character pwd's. That pwd is IMHO strong enough and they all know it by head, even when you wake them at 03:00 in the morning after a good party.
The added security of having 7 instead of 6 characters might be easily compromised by the inevitable use of Post-it memo's on the screen or in the drawer.

New users do get the 7-chars-pwd. But I live in the real world, with real people. And change is evil.

I propose a feature request: config setprop minpasswordlength Users 6

How about that?

 
 

[Stefano]

I propose a feature request: config setprop minpasswordlength Users 6

How about that?

1) since password length is hard coded into core library I think it won't be so easy..
2) this is not the right place: you should raise a NFR in bugzilla
3) I remember that somewhere we are told that 7 chars pwd is required also by pam or something similar..

Ciao
Stefano

[CharlieBrady]

this kind of hack should not be posted here IMO..
- because it si dis-educative
- because it will not survive to update
- because modifying core libraries without knowing what are you doing could be dangerous

And also because it won't work. The limit is imposed by the PAM module which changes password. The code identified here just allows the panel to give good feedback, rather than just a failed password change attempt.

http://bugs.contribs.org/show_bug.cgi?id=3039

[Stefano]

thanks Charlie, interesting but I have a  question for you:

setting something like:

Code: [Select]

password    requisite     pam_cracklib.so retry=3  minlen=5

in /etc/pam.d/system-auth as for this document from RedHat will have any effect?

I know that password's policies (length, strength, auth retries ecc) could be setup via pam but that in SME there are 3 kind of passwords (users, admin, ibays) and so all rely on perl script; am I wrong? can you shed a light on this?

is this guide still valid?

Tia
Ciao
Stefano

[elmarconi]

And also because it won't work. The limit is imposed by the PAM module which changes password. The code identified here just allows the panel to give good feedback, rather than just a failed password change attempt.

http://bugs.contribs.org/show_bug.cgi?id=3039

I just changes some poor users pwd to another 6 chars pwd thru the webinterface, and could login on webmail with that new pwd all OK.
Also this user can login to SMB OK.
He can NOT change his pwd within XP to another 6 chars pwd!!
He can change his pwd within XP to another 7 chars pwd.
WinXPPro pwd change msgbox claims (error?) that the pwd should be at least 5 chars, containing 3 out of 4 of the following groups: lowercase, uppercase, Numerals, Non-alphabetic.

Q: what exactly is supposed not to work?

[cactus]

I propose a feature request: config setprop minpasswordlength Users 6

How about that?

I suggest you launch a bug for it as new feature requests in the forums are not very likely to be taken into consideration. How about that?

[elmarconi]

I suggest you launch a bug for it as new feature requests in the forums are not very likely to be taken into consideration. How about that?

Point taken.  "How about that" shoud be rephrased to "What is the general opinion here, should this be a possible NFR?"

1) since password length is hard coded into core library I think it won't be so easy..

Nevertheless can it be done? Or will this break other stuff?

[cactus]

Nevertheless can it be done? Or will this break other stuff?

That will be undoubtedly become clear when added as a bug, but there are some applications that require a minimum length and I guess the development team have chosen 7 for a reason... so I guess that would be the minimum based on their findings.

[elmarconi]

That will be undoubtedly become clear when added as a bug, but there are some applications that require a minimum length and I guess the development team have chosen 7 for a reason... so I guess that would be the minimum based on their findings.

We'll see. http://bugs.contribs.org/show_bug.cgi?id=4992

[Dale]

WTF?  You guys are kidding, right?  There is no way to set shorter than 7 character passwords?

[cactus]

WTF?  You guys are kidding, right?  There is no way to set shorter than 7 character passwords?

No. As said some of the programs in SME Server require that to be a minimal length.

[Dale]

I should move on then, I suppose.
That's extremely broken.

[cactus]

I should move on then, I suppose.

Perhaps.

That's extremely broken.

I think your concept of security needs some updating then as well...

[elmarconi]

No. As said some of the programs in SME Server require that to be a minimal length.

This puzzles me as i've upgraded from SME6 and still have a lot of users using 6 chars pwd's.

This brings up another question: will SME8 require minimal 8 chr pwd's ?

[cactus]

This puzzles me as i've upgraded from SME6 and still have a lot of users using 6 chars pwd's.

It is only enforced on new passwords, as long as your users do not change their passwords it can be that way.

This brings up another question: will SME8 require minimal 8 chr pwd's ?

Perhaps, maybe even 80

[janet]

Dale

That's extremely broken.

No, it's more like "by design".

Advanced search is a good tool, which you could have used to find this:
http://forums.contribs.org/index.php?topic=38078.0

It's for v7.2 but if you really must, the concepts may still be applicable to sme7.4. Keep in mind though such changes are not recommended and may cause problems when upgrading ie you may break some new packages or may need to redo your custom changes. You are on your own, support wise, if you do try to implement the changes suggested.

I only draw your attention to that post here to indicate that just about everything in Linux is customisable, if you really want to put the effort in and accept the consequences.

[elmarconi]

This brings up another question: will SME8 require minimal 8 chr pwd's ?

Perhaps, maybe even 80

Boss: What are you doing, it's 10:30 ??
Employee: I am changing my password...

[chris burnat]

This topic has reached its natural end, refer Charlie comments above.
Locking this thread.