Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient
Ernedin Zajko wrote: Hi Anton, maybe you can "talk" directly to ds: http://directory.fedoraproject.org/docs/389ds/FAQ/password-syntax.html regards, That won't work. IPA re-implements password policy because it is baked into 389-ds and not plugable or extensible. There are some open tickets for enhancing IPA password policies but other features have taken precedence thus far: https://fedorahosted.org/freeipa/ticket/2445 https://fedorahosted.org/freeipa/ticket/5948 rob --- Ernedin ZAJKO eza...@root.ba 340282366920938463463374607431768211456 On Thu, Oct 13, 2016 at 1:53 AM, Anon Lister <listera...@gmail.com> wrote: Unfortunately, policy and regulation often lag behind current theory by several decades. For what it's worth, I'd second being able to set more complicated policies as a useful feature. On Oct 12, 2016 6:38 PM, "Simpson Lachlan" <lachlan.simp...@petermac.org> wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Bennett, Chip Sent: Thursday, 13 October 2016 7:21 AM To: Florence Blanc-Renaud; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient Flo, Thanks for getting back to me. I had seen this in the documentation. I was just hoping that I was missing something. I guess I'm just surprised that a product designed to manage authentication wouldn't have a way to be more specific in the complexity requirements. I don't know. Those type of complexity requirements are multifaceted, complex and somewhat arbitrary. Given that each then requires regex, I'm quite happy that the devs focus on getting other aspects of FreeIPA to work over password complexity. As xkcd noted a couple of years ago, password length is better for security than anything else. Complex arrangements of different character classes is neither human or UX friendly nor where contemporary security theory is focused - try 2FA, public/private keys, etc. While I understand that large organisations have policy that often drags well behind contemporary theory, I don't think it's fair to expect software to also allow for that. Cheers L. Thanks again! Chip -Original Message- From: Florence Blanc-Renaud [mailto:f...@redhat.com] Sent: Wednesday, October 12, 2016 3:18 PM To: Bennett, Chip <cbenn...@ftdi.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient On 10/11/2016 07:36 PM, Bennett, Chip wrote: I just joined this list, so if this question has been asked before (and I'll bet it has), I apologize in advance. A google search was unrevealing, so I'm asking here: we're running FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password complexity requirements are limited to setting the number of character classes to require, i.e. setting it to "2" would require your new password to be any two of the character classes. What if you wanted new passwords to meet specific class requirements, i.e. a mix of UL, LC, and numbers. It looks like you would use a value of "3" to accomplish this, but that would also allow UC, LC, and special, or LC, numbers, and special, but you don't want to allow the those: how would you specify that? Hi, as far as I know, it is only possible to specify the number of different character classes. The doc chapter "Creating Password Policies in the Web UI" [1] describes the following: --- Character classes sets the number of different categories of character that must be used in the password. This does not set which classes must be used; it sets the number of different (unspecified) classes which must be used in a password. For example, a character class can be a number, special character, or capital; the complete list of categories is in Table 22.1, "Password Policy Settings". This is part of setting the complexity requirements. --- hope this clarifies, Flo [1] https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.ht ml#creating-group-policy-ui Also, what if you had a requirement for more than one of the character classes, i.e. you want to require two UC characters or two special characters? Thanks in advance for the help, Chip Bennett This message is solely for the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. This message is solely for the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.or
Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient
Hi Anton, maybe you can "talk" directly to ds: http://directory.fedoraproject.org/docs/389ds/FAQ/password-syntax.html regards, --- Ernedin ZAJKO eza...@root.ba > 340282366920938463463374607431768211456 On Thu, Oct 13, 2016 at 1:53 AM, Anon Lister <listera...@gmail.com> wrote: > Unfortunately, policy and regulation often lag behind current theory by > several decades. For what it's worth, I'd second being able to set more > complicated policies as a useful feature. > > > On Oct 12, 2016 6:38 PM, "Simpson Lachlan" <lachlan.simp...@petermac.org> > wrote: >> >> > -Original Message- >> > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >> > boun...@redhat.com] On Behalf Of Bennett, Chip >> > Sent: Thursday, 13 October 2016 7:21 AM >> > To: Florence Blanc-Renaud; freeipa-users@redhat.com >> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems >> > Insufficient >> > >> > Flo, >> > >> > Thanks for getting back to me. I had seen this in the documentation. >> > I was just >> > hoping that I was missing something. I guess I'm just surprised that a >> > product >> > designed to manage authentication wouldn't have a way to be more >> > specific in the >> > complexity requirements. >> >> >> I don't know. Those type of complexity requirements are multifaceted, >> complex and somewhat arbitrary. Given that each then requires regex, I'm >> quite happy that the devs focus on getting other aspects of FreeIPA to work >> over password complexity. >> >> As xkcd noted a couple of years ago, password length is better for >> security than anything else. >> >> Complex arrangements of different character classes is neither human or UX >> friendly nor where contemporary security theory is focused - try 2FA, >> public/private keys, etc. While I understand that large organisations have >> policy that often drags well behind contemporary theory, I don't think it's >> fair to expect software to also allow for that. >> >> Cheers >> L. >> >> >> >> >> >> >> > >> > Thanks again! >> > Chip >> > >> > -Original Message- >> > From: Florence Blanc-Renaud [mailto:f...@redhat.com] >> > Sent: Wednesday, October 12, 2016 3:18 PM >> > To: Bennett, Chip <cbenn...@ftdi.com>; freeipa-users@redhat.com >> > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems >> > Insufficient >> > >> > On 10/11/2016 07:36 PM, Bennett, Chip wrote: >> > > I just joined this list, so if this question has been asked before >> > > (and I'll bet it has), I apologize in advance. >> > > >> > > >> > > >> > > A google search was unrevealing, so I'm asking here: we're running >> > > FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password >> > > complexity requirements are limited to setting the number of character >> > > classes to require, i.e. setting it to "2" would require your new >> > > password to be any two of the character classes. >> > > >> > > >> > > >> > > What if you wanted new passwords to meet specific class requirements, >> > > i.e. a mix of UL, LC, and numbers. It looks like you would use a >> > > value of "3" to accomplish this, but that would also allow UC, LC, and >> > > special, or LC, numbers, and special, but you don't want to allow the >> > > those: how would you specify that? >> > > >> > Hi, >> > >> > as far as I know, it is only possible to specify the number of different >> > character >> > classes. The doc chapter "Creating Password Policies in the Web UI" [1] >> > describes >> > the following: >> > --- >> > Character classes sets the number of different categories of character >> > that must be >> > used in the password. This does not set which classes must be used; it >> > sets the >> > number of different (unspecified) classes which must be used in a >> > password. For >> > example, a character class can be a number, special character, or >> > capital; the >> > complete list of categories is in Table 22.1, "Password Policy >> > Settings". This is part >> > of setting the complexity requirements. >> > --- >> > >> > hope this clarifies, >> &g
Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient
Unfortunately, policy and regulation often lag behind current theory by several decades. For what it's worth, I'd second being able to set more complicated policies as a useful feature. On Oct 12, 2016 6:38 PM, "Simpson Lachlan" <lachlan.simp...@petermac.org> wrote: > > -Original Message- > > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > > boun...@redhat.com] On Behalf Of Bennett, Chip > > Sent: Thursday, 13 October 2016 7:21 AM > > To: Florence Blanc-Renaud; freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems > > Insufficient > > > > Flo, > > > > Thanks for getting back to me. I had seen this in the documentation. > I was just > > hoping that I was missing something. I guess I'm just surprised that a > product > > designed to manage authentication wouldn't have a way to be more > specific in the > > complexity requirements. > > > I don't know. Those type of complexity requirements are multifaceted, > complex and somewhat arbitrary. Given that each then requires regex, I'm > quite happy that the devs focus on getting other aspects of FreeIPA to work > over password complexity. > > As xkcd noted a couple of years ago, password length is better for > security than anything else. > > Complex arrangements of different character classes is neither human or UX > friendly nor where contemporary security theory is focused - try 2FA, > public/private keys, etc. While I understand that large organisations have > policy that often drags well behind contemporary theory, I don't think it's > fair to expect software to also allow for that. > > Cheers > L. > > > > > > > > > > Thanks again! > > Chip > > > > -Original Message- > > From: Florence Blanc-Renaud [mailto:f...@redhat.com] > > Sent: Wednesday, October 12, 2016 3:18 PM > > To: Bennett, Chip <cbenn...@ftdi.com>; freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems > > Insufficient > > > > On 10/11/2016 07:36 PM, Bennett, Chip wrote: > > > I just joined this list, so if this question has been asked before > > > (and I'll bet it has), I apologize in advance. > > > > > > > > > > > > A google search was unrevealing, so I'm asking here: we're running > > > FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password > > > complexity requirements are limited to setting the number of character > > > classes to require, i.e. setting it to "2" would require your new > > > password to be any two of the character classes. > > > > > > > > > > > > What if you wanted new passwords to meet specific class requirements, > > > i.e. a mix of UL, LC, and numbers. It looks like you would use a > > > value of "3" to accomplish this, but that would also allow UC, LC, and > > > special, or LC, numbers, and special, but you don't want to allow the > > > those: how would you specify that? > > > > > Hi, > > > > as far as I know, it is only possible to specify the number of different > character > > classes. The doc chapter "Creating Password Policies in the Web UI" [1] > describes > > the following: > > --- > > Character classes sets the number of different categories of character > that must be > > used in the password. This does not set which classes must be used; it > sets the > > number of different (unspecified) classes which must be used in a > password. For > > example, a character class can be a number, special character, or > capital; the > > complete list of categories is in Table 22.1, "Password Policy > Settings". This is part > > of setting the complexity requirements. > > --- > > > > hope this clarifies, > > Flo > > > > [1] > > https://access.redhat.com/documentation/en- > > US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_ > Authentication_and_ > > Policy_Guide/Setting_Different_Password_Policies_ > for_Different_User_Groups.ht > > ml#creating-group-policy-ui > > > > > > > > > > > > > Also, what if you had a requirement for more than one of the character > > > classes, i.e. you want to require two UC characters or two special > > > characters? > > > > > > > > > > > > Thanks in advance for the help, > > > > > > Chip Bennett > > > > > > > > > > > > > > >
Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient
> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Bennett, Chip > Sent: Thursday, 13 October 2016 7:21 AM > To: Florence Blanc-Renaud; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems > Insufficient > > Flo, > > Thanks for getting back to me. I had seen this in the documentation. I was > just > hoping that I was missing something. I guess I'm just surprised that a > product > designed to manage authentication wouldn't have a way to be more specific in > the > complexity requirements. I don't know. Those type of complexity requirements are multifaceted, complex and somewhat arbitrary. Given that each then requires regex, I'm quite happy that the devs focus on getting other aspects of FreeIPA to work over password complexity. As xkcd noted a couple of years ago, password length is better for security than anything else. Complex arrangements of different character classes is neither human or UX friendly nor where contemporary security theory is focused - try 2FA, public/private keys, etc. While I understand that large organisations have policy that often drags well behind contemporary theory, I don't think it's fair to expect software to also allow for that. Cheers L. > > Thanks again! > Chip > > -Original Message- > From: Florence Blanc-Renaud [mailto:f...@redhat.com] > Sent: Wednesday, October 12, 2016 3:18 PM > To: Bennett, Chip <cbenn...@ftdi.com>; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Password Complexity Requirements Seems > Insufficient > > On 10/11/2016 07:36 PM, Bennett, Chip wrote: > > I just joined this list, so if this question has been asked before > > (and I'll bet it has), I apologize in advance. > > > > > > > > A google search was unrevealing, so I'm asking here: we're running > > FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password > > complexity requirements are limited to setting the number of character > > classes to require, i.e. setting it to "2" would require your new > > password to be any two of the character classes. > > > > > > > > What if you wanted new passwords to meet specific class requirements, > > i.e. a mix of UL, LC, and numbers. It looks like you would use a > > value of "3" to accomplish this, but that would also allow UC, LC, and > > special, or LC, numbers, and special, but you don't want to allow the > > those: how would you specify that? > > > Hi, > > as far as I know, it is only possible to specify the number of different > character > classes. The doc chapter "Creating Password Policies in the Web UI" [1] > describes > the following: > --- > Character classes sets the number of different categories of character that > must be > used in the password. This does not set which classes must be used; it sets > the > number of different (unspecified) classes which must be used in a password. > For > example, a character class can be a number, special character, or capital; the > complete list of categories is in Table 22.1, "Password Policy Settings". > This is part > of setting the complexity requirements. > --- > > hope this clarifies, > Flo > > [1] > https://access.redhat.com/documentation/en- > US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ > Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.ht > ml#creating-group-policy-ui > > > > > > > > Also, what if you had a requirement for more than one of the character > > classes, i.e. you want to require two UC characters or two special > > characters? > > > > > > > > Thanks in advance for the help, > > > > Chip Bennett > > > > > > > > > > This message is solely for the intended recipient(s) and may contain > > confidential and privileged information. Any unauthorized review, use, > > disclosure or distribution is prohibited. > > > > > > > This message is solely for the intended recipient(s) and may contain > confidential > and privileged information. > Any unauthorized review, use, disclosure or distribution is prohibited. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you ar
Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient
Flo, Thanks for getting back to me. I had seen this in the documentation. I was just hoping that I was missing something. I guess I'm just surprised that a product designed to manage authentication wouldn't have a way to be more specific in the complexity requirements. Thanks again! Chip -Original Message- From: Florence Blanc-Renaud [mailto:f...@redhat.com] Sent: Wednesday, October 12, 2016 3:18 PM To: Bennett, Chip <cbenn...@ftdi.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient On 10/11/2016 07:36 PM, Bennett, Chip wrote: > I just joined this list, so if this question has been asked before > (and I'll bet it has), I apologize in advance. > > > > A google search was unrevealing, so I'm asking here: we're running > FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password > complexity requirements are limited to setting the number of character > classes to require, i.e. setting it to "2" would require your new > password to be any two of the character classes. > > > > What if you wanted new passwords to meet specific class requirements, > i.e. a mix of UL, LC, and numbers. It looks like you would use a > value of "3" to accomplish this, but that would also allow UC, LC, and > special, or LC, numbers, and special, but you don't want to allow the > those: how would you specify that? > Hi, as far as I know, it is only possible to specify the number of different character classes. The doc chapter "Creating Password Policies in the Web UI" [1] describes the following: --- Character classes sets the number of different categories of character that must be used in the password. This does not set which classes must be used; it sets the number of different (unspecified) classes which must be used in a password. For example, a character class can be a number, special character, or capital; the complete list of categories is in Table 22.1, "Password Policy Settings". This is part of setting the complexity requirements. --- hope this clarifies, Flo [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.html#creating-group-policy-ui > > > Also, what if you had a requirement for more than one of the character > classes, i.e. you want to require two UC characters or two special > characters? > > > > Thanks in advance for the help, > > Chip Bennett > > > > > This message is solely for the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution is prohibited. > > This message is solely for the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Password Complexity Requirements Seems Insufficient
On 10/11/2016 07:36 PM, Bennett, Chip wrote: I just joined this list, so if this question has been asked before (and I’ll bet it has), I apologize in advance. A google search was unrevealing, so I’m asking here: we’re running FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password complexity requirements are limited to setting the number of character classes to require, i.e. setting it to “2” would require your new password to be any two of the character classes. What if you wanted new passwords to meet specific class requirements, i.e. a mix of UL, LC, and numbers. It looks like you would use a value of “3” to accomplish this, but that would also allow UC, LC, and special, or LC, numbers, and special, but you don’t want to allow the those: how would you specify that? Hi, as far as I know, it is only possible to specify the number of different character classes. The doc chapter "Creating Password Policies in the Web UI" [1] describes the following: --- Character classes sets the number of different categories of character that must be used in the password. This does not set which classes must be used; it sets the number of different (unspecified) classes which must be used in a password. For example, a character class can be a number, special character, or capital; the complete list of categories is in Table 22.1, “Password Policy Settings”. This is part of setting the complexity requirements. --- hope this clarifies, Flo [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_Different_Password_Policies_for_Different_User_Groups.html#creating-group-policy-ui Also, what if you had a requirement for more than one of the character classes, i.e. you want to require two UC characters or two special characters? Thanks in advance for the help, Chip Bennett This message is solely for the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Password Complexity Requirements Seems Insufficient
I just joined this list, so if this question has been asked before (and I'll bet it has), I apologize in advance. A google search was unrevealing, so I'm asking here: we're running FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password complexity requirements are limited to setting the number of character classes to require, i.e. setting it to "2" would require your new password to be any two of the character classes. What if you wanted new passwords to meet specific class requirements, i.e. a mix of UL, LC, and numbers. It looks like you would use a value of "3" to accomplish this, but that would also allow UC, LC, and special, or LC, numbers, and special, but you don't want to allow the those: how would you specify that? Also, what if you had a requirement for more than one of the character classes, i.e. you want to require two UC characters or two special characters? Thanks in advance for the help, Chip Bennett This message is solely for the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project