Re: [Discuss] CEP-24 Password validation and generation

Jr via dev Sent: Wednesday, October 19, 2022 10:58 To: dev@cassandra.apache.org Subject: Re: [Discuss] CEP-24 Password validation and generation NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is saf

Re: [Discuss] CEP-24 Password validation and generation

;A simple implementation of the observer that logs the messages Jeff >> suggested would probably be sufficient." >> >> Yes, no problem with logging from Guardrail directly. >> >> (1) >> https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-24%3A+Password+val

Re: [Discuss] CEP-24 Password validation and generation

tics events would satisfy your needs? > > Regards > > > From: Claude Warren, Jr via dev > Sent: Thursday, October 13, 2022 14:43 > To: dev@cassandra.apache.org > Subject: Re: [Discuss] CEP-24 Password validation and generation > > NetApp Security WARNING: This is a

Re: [Discuss] CEP-24 Password validation and generation

? Regards From: Claude Warren, Jr via dev Sent: Thursday, October 13, 2022 14:43 To: dev@cassandra.apache.org Subject: Re: [Discuss] CEP-24 Password validation and generation NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize

Re: [Discuss] CEP-24 Password validation and generation

rds > > Regards > > ________________ > From: Claude Warren, Jr > Sent: Thursday, October 13, 2022 12:50 > To: Miklosovic, Stefan > Cc: dev@cassandra.apache.org > Subject: Re: [Discuss] CEP-24 Password validation and generation > > NetApp Se

Re: [Discuss] CEP-24 Password validation and generation

aries. This might be included in > the CEP but I would keep it out for the very first implementation and it > can be finished afterwards in some other commit. I do not find it > absolutely necessary to do it right now. > > Regards, > > Stefan > >

Re: [Discuss] CEP-24 Password validation and generation

Warren, Jr Subject: Re: [Discuss] CEP-24 Password validation and generation NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Claude, you said: "I don't know the govt

Re: [Discuss] CEP-24 Password validation and generation

mmit. I do not find it absolutely necessary to do it right now. Regards, Stefan From: Claude Warren, Jr via dev Sent: Thursday, October 13, 2022 9:44 To: dev@cassandra.apache.org Subject: Fwd: [Discuss] CEP-24 Password validation and generation NetA

Fwd: [Discuss] CEP-24 Password validation and generation

I managed not to send this to the mailaing list... I don't know the govt spec. but there is a US govt security level where you are not allowed to inform the user why the login failed. It seems to me that there are 2 intertwined components being discussed. 1) A component to perform a user

Re: [Discuss] CEP-24 Password validation and generation

atable to operators and organisations that > want to use Cassandra. > > > > Regards, > > > > Jackson > > > > *From: *Brad > *Date: *Wednesday, 12 October 2022 at 2:42 am > *To: *dev@cassandra.apache.org > *Subject: *Re: [Discuss] CEP-24 Password validati

Re: [Discuss] CEP-24 Password validation and generation

error, the following has to be done: Password must be 8 or more characters in length. " Cheers, Jackson From: Derek Chen-Becker Date: Wednesday, 12 October 2022 at 7:07 am To: dev@cassandra.apache.org Subject: Re: [Discuss] CEP-24 Password validation and generation NetApp Securi

Re: [Discuss] CEP-24 Password validation and generation

approach is more implementable and more palatable to operators and organisations that want to use Cassandra. Regards, Jackson From: Brad Date: Wednesday, 12 October 2022 at 2:42 am To: dev@cassandra.apache.org Subject: Re: [Discuss] CEP-24 Password validation and generation NetApp Security WARNING

Re: [Discuss] CEP-24 Password validation and generation

that they tried to create a password with a lot of >> repeating characters? What is the added value here? >> >> I need to double check if warnings are logged as well. I'll get back to >> you. >> >> >> >> From:

Re: [Discuss] CEP-24 Password validation and generation

From: Jeff Jirsa Sent: Tuesday, October 11, 2022 20:56 To: dev@cassandra.apache.org Subject: Re: [Discuss] CEP-24 Password validation and generation NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content

Re: [Discuss] CEP-24 Password validation and generation

Chen-Becker > Sent: Tuesday, October 11, 2022 18:59 > To: dev@cassandra.apache.org > Subject: Re: [Discuss] CEP-24 Password validation and generation > > NetApp Security WARNING: This is an external email. Do not click links or > open attachments unless you recognize the sende

Re: [Discuss] CEP-24 Password validation and generation

thread. I will try to summarize where we are as it is easy to get lost in these emails. From: Derek Chen-Becker Sent: Tuesday, October 11, 2022 18:59 To: dev@cassandra.apache.org Subject: Re: [Discuss] CEP-24 Password validation and generation NetAp

Re: [Discuss] CEP-24 Password validation and generation

day, October 11, 2022 17:47 > To: dev@cassandra.apache.org > Subject: Re: [Discuss] CEP-24 Password validation and generation > > NetApp Security WARNING: This is an external email. Do not click links or > open attachments unless you recognize the sender and know the content is >

Re: [Discuss] CEP-24 Password validation and generation

er.org>> Sent: Tuesday, October 11, 2022 17:14 To: dev@cassandra.apache.org<mailto:dev@cassandra.apache.org> Subject: Re: [Discuss] CEP-24 Password validation and generation NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the s

Re: [Discuss] CEP-24 Password validation and generation

41 To: dev@cassandra.apache.org Subject: Re: [Discuss] CEP-24 Password validation and generation NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe. I'd agree that password expiry should be avoided.

Re: [Discuss] CEP-24 Password validation and generation

same as > the original one, would still have to be valid, but it just might be same > as it was. > > > From: Derek Chen-Becker > Sent: Tuesday, October 11, 2022 17:14 > To: dev@cassandra.apache.org > Subject: Re: [Discuss] CEP-24 Pa

Re: [Discuss] CEP-24 Password validation and generation

levels - OK password, password with a warning and failed > password. We inform a user about the strength of his password retroactively > - we do not tell him what the password should be before he tries to set one > however I think that is acceptable when using Cassandra and cqlsh in > console environme

Re: [Discuss] CEP-24 Password validation and generation

scho...@gmail.com>> Sent: Monday, October 10, 2022 17:43 To: dev@cassandra.apache.org<mailto:dev@cassandra.apache.org> Subject: Re: [Discuss] CEP-24 Password validation and generation NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you reco

Re: [Discuss] CEP-24 Password validation and generation

word. We inform a user about the strength of his password retroactively > - we do not tell him what the password should be before he tries to set one > however I think that is acceptable when using Cassandra and cqlsh in > console environment. > > (1) https://pages.nist.gov/800

Re: [Discuss] CEP-24 Password validation and generation

ore he tries to set one > however I think that is acceptable when using Cassandra and cqlsh in console > environment. > > (1) https://pages.nist.gov/800-63-3/sp800-63b.html#appA > > From: Brad > Sent: Monday, October 10, 2022 17:43 >

Re: [Discuss] CEP-24 Password validation and generation

_ From: Brad Sent: Monday, October 10, 2022 17:43 To: dev@cassandra.apache.org Subject: Re: [Discuss] CEP-24 Password validation and generation NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know

Re: [Discuss] CEP-24 Password validation and generation

I would suggest reviewing the guidelines in sec in 5.1.1.2 of NIST Special Publication 800-63B and the NCSC Password policy: updating your approach - NCSC.GOV.UK

Re: [Discuss] CEP-24 Password validation and generation

with all the details involved and CEP seemed to be a good way how to cement that. From: Andrés de la Peña Sent: Friday, September 23, 2022 13:36 To: dev@cassandra.apache.org Subject: Re: [Discuss] CEP-24 Password validation and generation NetApp Security

Re: [Discuss] CEP-24 Password validation and generation

I think that custom, pluggable type of guardrail will be a great addition to the framework. The first guardrails prototype included a factory of guardrails that was able to provide different guardrail instances depending on the specified class and client state. That was discarded during review in

[Discuss] CEP-24 Password validation and generation

Hi list, together with my colleague Jackson Fleming we put together CEP-24 about password validation and password generation in Cassandra. https://cwiki.apache.org/confluence/x/QoueDQ We are looking forward to discuss this CEP with you in depth. The outcome of this thread would be to sort out