Koozali.org: home of the SME Server

Reducing password complexity requirements?

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Reducing password complexity requirements?
« Reply #15 on: February 06, 2009, 03:22:36 PM »
thanks Charlie, interesting but I have a  question for you:

setting something like:
Code: [Select]
password    requisite     pam_cracklib.so retry=3  minlen=5

in /etc/pam.d/system-auth as for this document from RedHat will have any effect?

I know that password's policies (length, strength, auth retries ecc) could be setup via pam but that in SME there are 3 kind of passwords (users, admin, ibays) and so all rely on perl script; am I wrong? can you shed a light on this?

is this guide still valid?

Tia
Ciao
Stefano

Offline elmarconi

  • ***
  • 139
  • +0/-0
Re: Reducing password complexity requirements?
« Reply #16 on: February 06, 2009, 03:39:21 PM »
And also because it won't work. The limit is imposed by the PAM module which changes password. The code identified here just allows the panel to give good feedback, rather than just a failed password change attempt.

http://bugs.contribs.org/show_bug.cgi?id=3039

I just changes some poor users pwd to another 6 chars pwd thru the webinterface, and could login on webmail with that new pwd all OK.
Also this user can login to SMB OK.
He can NOT change his pwd within XP to another 6 chars pwd!!
He can change his pwd within XP to another 7 chars pwd.
WinXPPro pwd change msgbox claims (error?) that the pwd should be at least 5 chars, containing 3 out of 4 of the following groups: lowercase, uppercase, Numerals, Non-alphabetic.

Q: what exactly is supposed not to work?
...

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Reducing password complexity requirements?
« Reply #17 on: February 06, 2009, 04:00:04 PM »
I propose a feature request: config setprop minpasswordlength Users 6

How about that?
I suggest you launch a bug for it as new feature requests in the forums are not very likely to be taken into consideration. How about that? :-)
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline elmarconi

  • ***
  • 139
  • +0/-0
Re: Reducing password complexity requirements?
« Reply #18 on: February 06, 2009, 04:35:10 PM »
I suggest you launch a bug for it as new feature requests in the forums are not very likely to be taken into consideration. How about that? :-)

Point taken.  "How about that" shoud be rephrased to "What is the general opinion here, should this be a possible NFR?"

1) since password length is hard coded into core library I think it won't be so easy..

Nevertheless can it be done? Or will this break other stuff?
...

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Reducing password complexity requirements?
« Reply #19 on: February 06, 2009, 04:38:41 PM »
Nevertheless can it be done? Or will this break other stuff?
That will be undoubtedly become clear when added as a bug, but there are some applications that require a minimum length and I guess the development team have chosen 7 for a reason... so I guess that would be the minimum based on their findings.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline elmarconi

  • ***
  • 139
  • +0/-0
Re: Reducing password complexity requirements?
« Reply #20 on: February 06, 2009, 04:54:22 PM »
That will be undoubtedly become clear when added as a bug, but there are some applications that require a minimum length and I guess the development team have chosen 7 for a reason... so I guess that would be the minimum based on their findings.

We'll see. http://bugs.contribs.org/show_bug.cgi?id=4992

...

Offline Dale

  • 6
  • +0/-0
Re: Reducing password complexity requirements?
« Reply #21 on: February 07, 2009, 11:21:39 PM »
WTF?  You guys are kidding, right?  There is no way to set shorter than 7 character passwords?



Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Reducing password complexity requirements?
« Reply #22 on: February 07, 2009, 11:23:21 PM »
WTF?  You guys are kidding, right?  There is no way to set shorter than 7 character passwords?
No. As said some of the programs in SME Server require that to be a minimal length.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Dale

  • 6
  • +0/-0
Re: Reducing password complexity requirements?
« Reply #23 on: February 07, 2009, 11:41:19 PM »
I should move on then, I suppose.
That's extremely broken.

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Reducing password complexity requirements?
« Reply #24 on: February 08, 2009, 12:10:04 PM »
I should move on then, I suppose.
Perhaps.

That's extremely broken.
I think your concept of security needs some updating then as well...
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline elmarconi

  • ***
  • 139
  • +0/-0
Re: Reducing password complexity requirements?
« Reply #25 on: February 08, 2009, 11:28:34 PM »
No. As said some of the programs in SME Server require that to be a minimal length.

This puzzles me as i've upgraded from SME6 and still have a lot of users using 6 chars pwd's.

This brings up another question: will SME8 require minimal 8 chr pwd's ? ;)
...

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Reducing password complexity requirements?
« Reply #26 on: February 09, 2009, 09:14:32 AM »
This puzzles me as i've upgraded from SME6 and still have a lot of users using 6 chars pwd's.
It is only enforced on new passwords, as long as your users do not change their passwords it can be that way.

This brings up another question: will SME8 require minimal 8 chr pwd's ? ;)
Perhaps, maybe even 80 :-D
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Reducing password complexity requirements?
« Reply #27 on: February 09, 2009, 10:35:31 AM »
Dale

Quote
That's extremely broken.

No, it's more like "by design".

Advanced search is a good tool, which you could have used to find this:
http://forums.contribs.org/index.php?topic=38078.0

It's for v7.2 but if you really must, the concepts may still be applicable to sme7.4. Keep in mind though such changes are not recommended and may cause problems when upgrading ie you may break some new packages or may need to redo your custom changes. You are on your own, support wise, if you do try to implement the changes suggested.

I only draw your attention to that post here to indicate that just about everything in Linux is customisable, if you really want to put the effort in and accept the consequences.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline elmarconi

  • ***
  • 139
  • +0/-0
Re: Reducing password complexity requirements?
« Reply #28 on: February 09, 2009, 02:03:35 PM »
This brings up another question: will SME8 require minimal 8 chr pwd's ? ;)

Perhaps, maybe even 80 :-D

Boss: What are you doing, it's 10:30 ??
Employee: I am changing my password...
...

Offline chris burnat

  • ****
  • 1,135
  • +2/-0
    • http://www.burnat.com
Re: Reducing password complexity requirements?
« Reply #29 on: February 10, 2009, 09:56:49 PM »
This topic has reached its natural end, refer Charlie comments above.
Locking this thread.
- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org)  - check: http://wiki.contribs.org/Bugzilla_Help .  Thanks.