Re: [openstack-dev] [openstack][keystone] Is the user password too simple?
在2013年12月31 03时15分,Brant Knudsonb...@acm.org写道: On Mon, Dec 30, 2013 at 12:55 AM, li-zheming li-zhem...@163.com wrote: hi all: when create user, you can set user password. You can set password as a simple word 'a'. the password is too simple but not limit. if someone want to steal your password, it is so easily(such as exhaustion). I consider that it must be limited when set password, like this: 1. inlcude uppper and lower letters 2. include nums 3. include particular symbol,such as '_','' 4. the length8 administor can set the password rule. I want to provide a BP about this issue. can you give me some advice or ideas?? thanks! lizheming I'd prefer it if we didn't reinvent this wheel ourselves. If customers need to enforce password strength, expiration, history, user lockout, etc, then they should store users in an LDAP directory that supports these things and configure Keystone to use that. - Brant hi brant: I am sorry, I may be not understand how store users in an LDAP directory that supports these things and configure Keystone to use that. Is there some configure in keystone? ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack][keystone] Is the user password too simple?
hi Thomas: thank you for your suggestion. I agree with you. cracklib is useful to check password. I only give a example to set password, not force use this rule. I think password scheme should be more discussion. I refer to linux password policy. The Linux password rule is configurable. like this: PASS_MAX_DAYS 9 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 this is general rule. if you want to set a strength password, you can use pam_cracklib module. so we can also config password policy. someone who don't need a strength password, they can set general rule in keystone.conf. someone who need strength password, they can load cracklib(or others) and check password, and password rule can be set by administor. this is only my idea, can you give me more suggestion?thanks! --lizheming 在2013年12月30 23时15分,Thomas Goirandz...@debian.org写道: On 12/30/2013 02:55 PM, li-zheming wrote: hi all: when create user, you can set user password. You can set password as a simple word 'a'. the password is too simple but not limit. if someone want to steal your password, it is so easily(such as exhaustion). I consider that it must be limited when set password, like this: 1. inlcude uppper and lower letters 2. include nums 3. include particular symbol,such as '_','' 4. the length8 administor can set the password rule. Hi, If you want to check for password complexity, do it the correct way. I'm used to *always* use a password generator that uses only lower case, and removes chars that can be confused with one another, so that you don't have l and 1, or O and 0 in my passwords. Yet, they are high entropy and long. If you just force me to add upper+lower case and add symbols, then you are just annoying me even with my very good passwords. I want to provide a BP about this issue. can you give me some advice or ideas?? Please use a password entropy function. Something like this: https://pypi.python.org/pypi/cracklib Thomas ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack][keystone] Is the user password too simple?
Brant,
That is fine for some cases but we provide non-ldap backends, and a
read/write backend. If we continue to provide a keystone specific idp
(likely we need to), these features are a must-have in the long run. Just
my view (and requests from real customers). It's all well and good to
recommend ldap and handle all that logic in the IDP, but many use-cases
don't allow for that configuration. I think providing partial or toy
implementations is suboptimal from a product completeness standpoint / user
and deployer experience.
--Morgan
On Wednesday, January 1, 2014, li-zheming wrote:
hi Thomas:
thank you for your suggestion. I agree with you. cracklib is useful
to check
password. I only give a example to set password, not force use this rule.
I think password scheme should be more discussion.
I refer to linux password policy. The Linux password rule is
configurable.
like this:
PASS_MAX_DAYS 9
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
this is general rule. if you want to set a strength password, you can
use pam_cracklib module.
so we can also config password policy. someone who don't need
a strength password, they can set general rule in keystone.conf.
someone who need strength password, they can load cracklib(or others)
and check password, and password rule can be set by administor.
this is only my idea, can you give me more suggestion?thanks!
--lizheming
在2013年12月30 23时15分,Thomas Goirandz...@debian.org javascript:_e({},
'cvml', 'z...@debian.org');写道:
On 12/30/2013 02:55 PM, li-zheming wrote:
hi all:
when create user, you can set user password. You can set password
as a simple word 'a'. the
password is too simple but not limit. if someone want to steal your
password, it is so easily(such as exhaustion).
I consider that it must be limited when set password, like this:
1. inlcude uppper and lower letters
2. include nums
3. include particular symbol,such as '_',''
4. the length8
administor can set the password rule.
Hi,
If you want to check for password complexity, do it the correct way. I'm
used to *always* use a password generator that uses only lower case, and
removes chars that can be confused with one another, so that you don't
have l and 1, or O and 0 in my passwords. Yet, they are high entropy and
long. If you just force me to add upper+lower case and add symbols, then
you are just annoying me even with my very good passwords.
I want to provide a BP about this issue. can you give me some advice
or ideas??
Please use a password entropy function. Something like this:
https://pypi.python.org/pypi/cracklib
Thomas
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org javascript:_e({}, 'cvml',
'OpenStack-dev@lists.openstack.org');
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack][keystone] Is the user password too simple?
On 2013-12-30 23:15:06 +0800 (+0800), Thomas Goirand wrote: On 12/30/2013 02:55 PM, li-zheming wrote: [...] I consider that it must be limited when set password, like this: 1. inlcude uppper and lower letters 2. include nums 3. include particular symbol,such as '_','' 4. the length8 administor can set the password rule. [...] If you just force me to add upper+lower case and add symbols, then you are just annoying me even with my very good passwords. [...] I think cracklib (or similar) integration as an optional rule, along with those listed above, would be great... I'd even say docs should recommend doing it the right way with an entropy checker rule rather than those other arbitrary checks. However, support for them is still useful because some operators very well may be hamstrung by cargo-cult best practices requirements like that baked into their corporate security policies (so they'll need to be able to support such schemes no matter how backward it might seem). -- Jeremy Stanley ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack][keystone] Is the user password too simple?
On Mon, Dec 30, 2013 at 11:15:06PM +0800, Thomas Goirand wrote: On 12/30/2013 02:55 PM, li-zheming wrote: hi all: when create user, you can set user password. You can set password as a simple word 'a'. the password is too simple but not limit. if someone want to steal your password, it is so easily(such as exhaustion). I consider that it must be limited when set password, like this: 1. inlcude uppper and lower letters 2. include nums 3. include particular symbol,such as '_','' 4. the length8 administor can set the password rule. Hi, If you want to check for password complexity, do it the correct way. I'm used to *always* use a password generator that uses only lower case, and removes chars that can be confused with one another, so that you don't have l and 1, or O and 0 in my passwords. Yet, they are high entropy and long. If you just force me to add upper+lower case and add symbols, then you are just annoying me even with my very good passwords. I want to provide a BP about this issue. can you give me some advice or ideas?? Please use a password entropy function. Something like this: https://pypi.python.org/pypi/cracklib Thomas ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev I agree with this, if there is a check, it should check general safety, rather than expect to fulfill all conditions, if i have a 50 letters pass (and i do, using full sentences is quite convenient), don't force me to have numbers or symbols in it, it's already way harder to crack than an 8 chars word with a capital, a number, and a non-alphanumerical char. -- Gabriel Pettier Software Engineer at CloudWatt.com 06 85 10 36 34 ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack][keystone] Is the user password too simple?
On Mon, Dec 30, 2013 at 12:55 AM, li-zheming li-zhem...@163.com wrote: hi all: when create user, you can set user password. You can set password as a simple word 'a'. the password is too simple but not limit. if someone want to steal your password, it is so easily(such as exhaustion). I consider that it must be limited when set password, like this: 1. inlcude uppper and lower letters 2. include nums 3. include particular symbol,such as '_','' 4. the length8 administor can set the password rule. I want to provide a BP about this issue. can you give me some advice or ideas?? thanks! lizheming I'd prefer it if we didn't reinvent this wheel ourselves. If customers need to enforce password strength, expiration, history, user lockout, etc, then they should store users in an LDAP directory that supports these things and configure Keystone to use that. - Brant ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
