[jira] [Commented] (CASSANDRA-17457) User password strength

Mon, 22 Aug 2022 14:41:04 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-17457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583220#comment-17583220
 ] 

Jackson Fleming commented on CASSANDRA-17457:
---------------------------------------------

Thanks all, I discussed this with [~smiklosovic] last night (and he updated me 
over the evening my time on the internal discussions this Jira was starting).

I agree with Stefan's assessment that this could be an ideal use case for a 
Guardrail, that this Jira has more work than meets the eye.

The work in progress branch is here 
[https://github.com/Jacko161/cassandra/tree/CASSANDRA-17457] I'll but a heavy 
emphasis on it's very far away from being ready for a PR, it is a naive Regex 
based approach, this should just be considered an experiment I performed to 
prove that the validation works when I run Cassandra locally, not as something 
I ever intended to raise a PR for.

> User password strength
> ----------------------
>
>                 Key: CASSANDRA-17457
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17457
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Feature/Authorization
>            Reporter: Berenguer Blasi
>            Assignee: Jackson Fleming
>            Priority: Normal
>              Labels: low-hanging-fruit
>             Fix For: 4.x
>
>
> Currently we can create a user with a very insecure password such as 'A'.
> _CREATE ROLE coach WITH PASSWORD = 'A' AND LOGIN = true;_
>  
> As we can see there are no restrictions on length, characters, etc We should 
> discuss and adopt some best practices in this area. A warning would be the 
> preference instead of erroring out. Historically this has been left to be 
> dealt by LDAP or other auth systems so we can't error out.
> Newcomers:
> - We should add warnings when a weak password is provided on DCL CQL. The 
> {{validate}} method looks like a good place at face value. Fell free to 
> analyze and suggest otherwise. See {{ClientWarn}} usages for examples.
> - We should add junit methods for the newly created warnings



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to