JoaoJandre commented on issue #6861: URL: https://github.com/apache/cloudstack/issues/6861#issuecomment-1419337976
Nonetheless, this will do nothing to fix the internal attack vector (if that is considered) and also it does not improve VM's password policy security. Defining a pattern for random passwords generated by ACS will not force users to improve those passwords when they change direction in the operating system. Therefore I still think this solution will not be that useful for the @nxsbi use case. It is interesting to improve the security of random passwords by adding special characters. However, enabling users to define password "standards" to be managed by ACS will not do anything to improve end-users' password security in VM's operating system (they can always change in the VM, without going through ACS). To make it clear, I do think that adding special characters to improve random passwords is an interesting addition. What I do not think is interesting is the "password pattern" definition, for random passwords generated. Furthermore, the way it is implemented, it can cause a few misunderstandings; (i) operators can think that these standards are somehow propagated to VM's operating system (which does not happen), and (ii) if the operator defines a quite complicated pattern, that loop might never end (it is a bit too simple solution, generate a random string, and then check if it matches the pattern, if it does not, repeat). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
