Koozali.org: home of the SME Server

Reducing password complexity requirements?

Offline thymox

  • 12
  • +0/-0
Reducing password complexity requirements?
« on: February 05, 2009, 03:38:07 PM »
Hi all,

Is there a way that I can reduce the complexity requirements for user account password?

I know it's a potential "security issue" having simple passwords, but let's face it... complex passwords get written down anyway!

Cheers.
Grant. :)

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Reducing password complexity requirements?
« Reply #1 on: February 05, 2009, 03:44:34 PM »
Thymox,

please search the forums and the wiki.. this question has ben posted thousands times..

Thank you

Ciao
Stefano

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Reducing password complexity requirements?
« Reply #2 on: February 05, 2009, 09:15:57 PM »
please search the forums and the wiki..
Or go directly here: http://wiki.contribs.org/SME_Server:Documentation:FAQ#Password_Strength_Checking

This does not mean that there are no rules for passwords as a minimal length (I believe 7 characters is required even at the lowest level of password strength.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Reducing password complexity requirements?
« Reply #3 on: February 05, 2009, 09:28:27 PM »
I believe 7 characters is required even at the lowest level of password strength.

yes, 7 chars are the minimum requirement

Ciao
Stefano

Offline p-jones

  • *
  • 594
  • +0/-0
Re: Reducing password complexity requirements?
« Reply #4 on: February 06, 2009, 10:42:41 AM »
Quote
yes, 7 chars are the minimum requirement

And that is new to V7.4

Quote
please search the forums and the wiki.. this question has ben posted thousands times..

Doesnt quite cut it...
...

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Reducing password complexity requirements?
« Reply #5 on: February 06, 2009, 10:49:03 AM »
And that is new to V7.4
Nope, as far as I know this has been so at least for the whole 7.x tree.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Reducing password complexity requirements?
« Reply #6 on: February 06, 2009, 10:50:54 AM »
And that is new to V7.4

no.. AFAIR it's so since 7.1

Quote
Doesnt quite cut it...

since I don't understand what you mean here, could you please explain? thank you

Ciao
Stefano

Offline p-jones

  • *
  • 594
  • +0/-0
Re: Reducing password complexity requirements?
« Reply #7 on: February 06, 2009, 11:08:07 AM »
Quote
no.. AFAIR it's so since 7.1

Nope , all my people who were on weak passwords of <7 characters had to deal to them with after the 7.4 update and make them 7 characters or more.

Quote
since I don't understand what you mean here, could you please explain? thank you

I think you have a quick key for search the forums as I notice you use it so much. It not a particularly helpful response, especially to a newbie who does search the forums and is presented with an information overload or doesnt understand what they are reading or just needs a bit of guidance and reassurance to get them on the right track. A link to a starting point is more useful, or no response at all.
Point in case, anyone who had read the part of the manual several months ago (prior to 7.4) and not read it since would have been unaware of the 7 character requirement.
...

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Reducing password complexity requirements?
« Reply #8 on: February 06, 2009, 11:30:41 AM »
Nope , all my people who were on weak passwords of <7 characters had to deal to them with after the 7.4 update and make them 7 characters or more.

you have to "upgrade" your password only if you change it.. I have many servers (upgraded from 6.X) with passwords of 5,6 chars, working flawlessy..
 
Quote
I think you have a quick key for search the forums as I notice you use it so much. It not a particularly helpful response, especially to a newbie who does search the forums and is presented with an information overload or doesnt understand what they are reading or just needs a bit of guidance and reassurance to get them on the right track. A link to a starting point is more useful, or no response at all.
Point in case, anyone who had read the part of the manual several months ago (prior to 7.4) and not read it since would have been unaware of the 7 character requirement.

try to click on "search" link above.. input "password length" and go.. is it so difficult?
IMHO many users of this forum are simply too lazy

Ciao
Stefano

Offline p-jones

  • *
  • 594
  • +0/-0
Re: Reducing password complexity requirements?
« Reply #9 on: February 06, 2009, 11:46:16 AM »
Quote
you have to "upgrade" your password only if you change it.. I have many servers (upgraded from 6.X) with passwords of 5,6 chars, working flawlessy..

OK, but if you are on a 30 or 42 day password cycle, which IMHO one should be if they are going to use weak passwords, or you add a new user, that password must be 7 characters or more. The 7 character rule was only enforced in V7.4, my original point. Prior to 7.4 it could be any length. The smallest I had tried was 4
...

Offline elmarconi

  • ***
  • 139
  • +0/-0
Re: Reducing password complexity requirements?
« Reply #10 on: February 06, 2009, 01:03:04 PM »
/usr/lib/perl5/site_perl/CGI/FormMagick/Validator/Network.pm and
and
/usr/lib/perl5/site_perl/esmith/FormMagick.pm

Search for: length($_) > 6 and length($pass) > 6

Change 6 to value required. 

Will not survive updates!
...

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Reducing password complexity requirements?
« Reply #11 on: February 06, 2009, 02:04:44 PM »
/usr/lib/perl5/site_perl/CGI/FormMagick/Validator/Network.pm and
and
/usr/lib/perl5/site_perl/esmith/FormMagick.pm

Search for: length($_) > 6 and length($pass) > 6

Change 6 to value required. 

Will not survive updates!


this kind of hack should not be posted here IMO..
- because it si dis-educative
- because it will not survive to update
- because modifying core libraries without knowing what are you doing could be dangerous

Stefano

Offline elmarconi

  • ***
  • 139
  • +0/-0
Re: Reducing password complexity requirements?
« Reply #12 on: February 06, 2009, 02:30:12 PM »
this kind of hack should not be posted here IMO..
- because it si dis-educative
- because it will not survive to update
- because modifying core libraries without knowing what are you doing could be dangerous

Both yes and no. I have a load of user since e-smith 4.12.
Lots of them use 6-character pwd's. That pwd is IMHO strong enough and they all know it by head, even when you wake them at 03:00 in the morning after a good party.
The added security of having 7 instead of 6 characters might be easily compromised by the inevitable use of Post-it memo's on the screen or in the drawer.

New users do get the 7-chars-pwd. But I live in the real world, with real people. And change is evil.

I propose a feature request: config setprop minpasswordlength Users 6

How about that?

 
 
...

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Reducing password complexity requirements?
« Reply #13 on: February 06, 2009, 02:46:22 PM »
I propose a feature request: config setprop minpasswordlength Users 6

How about that?

1) since password length is hard coded into core library I think it won't be so easy..
2) this is not the right place: you should raise a NFR in bugzilla
3) I remember that somewhere we are told that 7 chars pwd is required also by pam or something similar..

Ciao
Stefano

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Reducing password complexity requirements?
« Reply #14 on: February 06, 2009, 02:51:49 PM »
this kind of hack should not be posted here IMO..
- because it si dis-educative
- because it will not survive to update
- because modifying core libraries without knowing what are you doing could be dangerous

And also because it won't work. The limit is imposed by the PAM module which changes password. The code identified here just allows the panel to give good feedback, rather than just a failed password change attempt.

http://bugs.contribs.org/show_bug.cgi?id=3039