"BobbyT" <[EMAIL PROTECTED]> wrote: > The RaQ should have a javascript that nags the user if they enter a > password that doesnt contain at least one number or capitol letter or > funny character or matches the user name (or both). This would greatly > increase security on non-supervised account creation or on password > changes.
I think it's a great idea to implement on your system if you can. I usually suggest that my clients consider enforcing strong passwords, but many of them are reluctant. Unfortunately many users prefer to be able to set passwords as they see fit. And though simple passwords are easy to crack they are also easy for the user to remember. One has to balance security with usability. > Here's a sample script that would check to make sure the user has used > at least One upper, lower and number in their password. I think JS code like the code you included is a good step. I doubt Sun will ever force strong passwords, but it would be nice if the next generation GUI had that as a server admin config option. My guess is if they forced strong passwords there would be many server admins who cry foul because they now have to force their users to adapt to the system. I prefer to run John the Ripper to check for weak passwords. Even if you don't enforce strong passwords, using John the Ripper to find weak passwords isn't a bad idea. Better to know how many users have weak passwords and who they are than to have no idea at all. http://www.openwall.com/john/ -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
