Unfortunately, policy and regulation often lag behind current theory by several decades. For what it's worth, I'd second being able to set more complicated policies as a useful feature.
On Oct 12, 2016 6:38 PM, "Simpson Lachlan" <lachlan.simp...@petermac.org> wrote: > > -----Original Message----- > > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > > boun...@redhat.com] On Behalf Of Bennett, Chip > > Sent: Thursday, 13 October 2016 7:21 AM > > To: Florence Blanc-Renaud; freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems > > Insufficient > > > > Flo, > > > > Thanks for getting back to me. I had seen this in the documentation. > I was just > > hoping that I was missing something. I guess I'm just surprised that a > product > > designed to manage authentication wouldn't have a way to be more > specific in the > > complexity requirements. > > > I don't know. Those type of complexity requirements are multifaceted, > complex and somewhat arbitrary. Given that each then requires regex, I'm > quite happy that the devs focus on getting other aspects of FreeIPA to work > over password complexity. > > As xkcd noted a couple of years ago, password length is better for > security than anything else. > > Complex arrangements of different character classes is neither human or UX > friendly nor where contemporary security theory is focused - try 2FA, > public/private keys, etc. While I understand that large organisations have > policy that often drags well behind contemporary theory, I don't think it's > fair to expect software to also allow for that. > > Cheers > L. > > > > > > > > > > Thanks again! > > Chip > > > > -----Original Message----- > > From: Florence Blanc-Renaud [mailto:f...@redhat.com] > > Sent: Wednesday, October 12, 2016 3:18 PM > > To: Bennett, Chip <cbenn...@ftdi.com>; freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems > > Insufficient > > > > On 10/11/2016 07:36 PM, Bennett, Chip wrote: > > > I just joined this list, so if this question has been asked before > > > (and I'll bet it has), I apologize in advance. > > > > > > > > > > > > A google search was unrevealing, so I'm asking here: we're running > > > FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password > > > complexity requirements are limited to setting the number of character > > > classes to require, i.e. setting it to "2" would require your new > > > password to be any two of the character classes. > > > > > > > > > > > > What if you wanted new passwords to meet specific class requirements, > > > i.e. a mix of UL, LC, and numbers. It looks like you would use a > > > value of "3" to accomplish this, but that would also allow UC, LC, and > > > special, or LC, numbers, and special, but you don't want to allow the > > > those: how would you specify that? > > > > > Hi, > > > > as far as I know, it is only possible to specify the number of different > character > > classes. The doc chapter "Creating Password Policies in the Web UI" [1] > describes > > the following: > > --- > > Character classes sets the number of different categories of character > that must be > > used in the password. This does not set which classes must be used; it > sets the > > number of different (unspecified) classes which must be used in a > password. For > > example, a character class can be a number, special character, or > capital; the > > complete list of categories is in Table 22.1, "Password Policy > Settings". This is part > > of setting the complexity requirements. > > --- > > > > hope this clarifies, > > Flo > > > > [1] > > https://access.redhat.com/documentation/en- > > US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_ > Authentication_and_ > > Policy_Guide/Setting_Different_Password_Policies_ > for_Different_User_Groups.ht > > ml#creating-group-policy-ui > > > > > > > > > > > > > Also, what if you had a requirement for more than one of the character > > > classes, i.e. you want to require two UC characters or two special > > > characters? > > > > > > > > > > > > Thanks in advance for the help, > > > > > > Chip Bennett > > > > > > > > > > > > > > > This message is solely for the intended recipient(s) and may contain > > > confidential and privileged information. Any unauthorized review, use, > > > disclosure or distribution is prohibited. > > > > > > > > > > > > This message is solely for the intended recipient(s) and may contain > confidential > > and privileged information. > > Any unauthorized review, use, disclosure or distribution is prohibited. > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > This email (including any attachments or links) may contain > confidential and/or legally privileged information and is > intended only to be read or used by the addressee. If you > are not the intended addressee, any use, distribution, > disclosure or copying of this email is strictly > prohibited. > Confidentiality and legal privilege attached to this email > (including any attachments) are not waived or lost by > reason of its mistaken delivery to you. > If you have received this email in error, please delete it > and notify us immediately by telephone or email. Peter > MacCallum Cancer Centre provides no guarantee that this > transmission is free of virus or that it has not been > intercepted or altered and will not be liable for any delay > in its receipt. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project