> -----Original Message-----
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Bennett, Chip
> Sent: Thursday, 13 October 2016 7:21 AM
> To: Florence Blanc-Renaud; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
> Insufficient
> 
> Flo,
> 
> Thanks for getting back to me.  I had seen this in the documentation.   I was 
> just
> hoping that I was missing something.   I guess I'm just surprised that a 
> product
> designed to manage authentication wouldn't have a way to be more specific in 
> the
> complexity requirements.


I don't know. Those type of complexity requirements are multifaceted, complex 
and somewhat arbitrary. Given that each then requires regex, I'm quite happy 
that the devs focus on getting other aspects of FreeIPA to work over password 
complexity. 

As xkcd noted a couple of years ago, password length is better for security 
than anything else. 

Complex arrangements of different character classes is neither human or UX 
friendly nor where contemporary security theory is focused - try 2FA, 
public/private keys, etc. While I understand that large organisations have 
policy that often drags well behind contemporary theory, I don't think it's 
fair to expect software to also allow for that.

Cheers
L.






> 
> Thanks again!
> Chip
> 
> -----Original Message-----
> From: Florence Blanc-Renaud [mailto:f...@redhat.com]
> Sent: Wednesday, October 12, 2016 3:18 PM
> To: Bennett, Chip <cbenn...@ftdi.com>; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Password Complexity Requirements Seems
> Insufficient
> 
> On 10/11/2016 07:36 PM, Bennett, Chip wrote:
> > I just joined this list, so if this question has been asked before
> > (and I'll bet it has), I apologize in advance.
> >
> >
> >
> > A google search was unrevealing, so I'm asking here: we're running
> > FreeIPA Version 3.0.0 on CentOS 6.6.   It looks like the password
> > complexity requirements are limited to setting the number of character
> > classes to require, i.e. setting it to "2" would require your new
> > password to be any two of the character classes.
> >
> >
> >
> > What if you wanted new passwords to meet specific class requirements,
> > i.e. a mix of UL, LC, and numbers.  It looks like you would use a
> > value of "3" to accomplish this, but that would also allow UC, LC, and
> > special, or LC, numbers, and special, but you don't want to allow the
> > those:  how would you specify that?
> >
> Hi,
> 
> as far as I know, it is only possible to specify the number of different 
> character
> classes. The doc chapter "Creating Password Policies in the Web UI" [1] 
> describes
> the following:
> ---
> Character classes sets the number of different categories of character that 
> must be
> used in the password. This does not set which classes must be used; it sets 
> the
> number of different (unspecified) classes which must be used in a password. 
> For
> example, a character class can be a number, special character, or capital; the
> complete list of categories is in Table 22.1, "Password Policy Settings". 
> This is part
> of setting the complexity requirements.
> ---
> 
> hope this clarifies,
> Flo
> 
> [1]
> https://access.redhat.com/documentation/en-
> US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.ht
> ml#creating-group-policy-ui
> 
> 
> >
> >
> > Also, what if you had a requirement for more than one of the character
> > classes, i.e. you want to require two UC characters or two special
> > characters?
> >
> >
> >
> > Thanks in advance for the help,
> >
> > Chip Bennett
> >
> >
> >
> >
> > This message is solely for the intended recipient(s) and may contain
> > confidential and privileged information. Any unauthorized review, use,
> > disclosure or distribution is prohibited.
> >
> >
> 
> 
> This message is solely for the intended recipient(s) and may contain 
> confidential
> and privileged information.
> Any unauthorized review, use, disclosure or distribution is prohibited.
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to