Re: [openstack-dev] [openstack][keystone] Is the user password too simple?
Brant, That is fine for some cases but we provide non-ldap backends, and a read/write backend. If we continue to provide a keystone specific idp (likely we need to), these features are a must-have in the long run. Just my view (and requests from real customers). It's all well and good to recommend ldap and handle all that logic in the IDP, but many use-cases don't allow for that configuration. I think providing partial or "toy" implementations is suboptimal from a product completeness standpoint / user and deployer experience. --Morgan On Wednesday, January 1, 2014, li-zheming wrote: > hi Thomas: > thank you for your suggestion. I agree with you. cracklib is useful > to check > password. I only give a example to set password, not force use this rule. > I think password scheme should be more discussion. > I refer to linux password policy. The Linux password rule is > configurable. > like this: > PASS_MAX_DAYS 9 > PASS_MIN_DAYS 0 > PASS_MIN_LEN 5 > PASS_WARN_AGE 7 > this is general rule. if you want to set a strength password, you can > use pam_cracklib module. >so we can also config password policy. someone who don't need > a strength password, they can set general rule in keystone.conf. > someone who need strength password, they can load cracklib(or others) > and check password, and password rule can be set by administor. > this is only my idea, can you give me more suggestion?thanks! > --lizheming > > > > 在2013年12月30 23时15分,"Thomas Goirand" 'cvml', 'z...@debian.org');>>写道: > > > On 12/30/2013 02:55 PM, li-zheming wrote: > > hi all: > > when create user, you can set user password. You can set password > > as a simple word 'a'. the > > password is too simple but not limit. if someone want to steal your > > password, it is so easily(such as exhaustion). > > I consider that it must be limited when set password, like this: > > 1. inlcude uppper and lower letters > > 2. include nums > > 3. include particular symbol,such as '_','&' > > 4. the length>8 > > administor can set the password rule. > > Hi, > > If you want to check for password complexity, do it the correct way. I'm > used to *always* use a password generator that uses only lower case, and > removes chars that can be confused with one another, so that you don't > have l and 1, or O and 0 in my passwords. Yet, they are high entropy and > long. If you just force me to add upper+lower case and add symbols, then > you are just annoying me even with my very good passwords. > > > I want to provide a BP about this issue. can you give me some advice > > or ideas?? > > Please use a password entropy function. Something like this: > https://pypi.python.org/pypi/cracklib > > Thomas > > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org 'OpenStack-dev@lists.openstack.org');> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack][keystone] Is the user password too simple?
hi Thomas: thank you for your suggestion. I agree with you. cracklib is useful to check password. I only give a example to set password, not force use this rule. I think password scheme should be more discussion. I refer to linux password policy. The Linux password rule is configurable. like this: PASS_MAX_DAYS 9 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 this is general rule. if you want to set a strength password, you can use pam_cracklib module. so we can also config password policy. someone who don't need a strength password, they can set general rule in keystone.conf. someone who need strength password, they can load cracklib(or others) and check password, and password rule can be set by administor. this is only my idea, can you give me more suggestion?thanks! --lizheming 在2013年12月30 23时15分,"Thomas Goirand"写道: On 12/30/2013 02:55 PM, li-zheming wrote: > hi all: > when create user, you can set user password. You can set password > as a simple word 'a'. the > password is too simple but not limit. if someone want to steal your > password, it is so easily(such as exhaustion). > I consider that it must be limited when set password, like this: > 1. inlcude uppper and lower letters > 2. include nums > 3. include particular symbol,such as '_','&' > 4. the length>8 > administor can set the password rule. Hi, If you want to check for password complexity, do it the correct way. I'm used to *always* use a password generator that uses only lower case, and removes chars that can be confused with one another, so that you don't have l and 1, or O and 0 in my passwords. Yet, they are high entropy and long. If you just force me to add upper+lower case and add symbols, then you are just annoying me even with my very good passwords. > I want to provide a BP about this issue. can you give me some advice > or ideas?? Please use a password entropy function. Something like this: https://pypi.python.org/pypi/cracklib Thomas ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack][keystone] Is the user password too simple?
在2013年12月31 03时15分,"Brant Knudson"写道: On Mon, Dec 30, 2013 at 12:55 AM, li-zheming wrote: hi all: when create user, you can set user password. You can set password as a simple word 'a'. the password is too simple but not limit. if someone want to steal your password, it is so easily(such as exhaustion). I consider that it must be limited when set password, like this: 1. inlcude uppper and lower letters 2. include nums 3. include particular symbol,such as '_','&' 4. the length>8 administor can set the password rule. I want to provide a BP about this issue. can you give me some advice or ideas?? thanks! lizheming I'd prefer it if we didn't reinvent this wheel ourselves. If customers need to enforce password strength, expiration, history, user lockout, etc, then they should store users in an LDAP directory that supports these things and configure Keystone to use that. - Brant hi brant: I am sorry, I may be not understand how "store users in an LDAP directory that supports these things and configure Keystone to use that". Is there some configure in keystone? ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack][keystone] Is the user password too simple?
On Mon, Dec 30, 2013 at 12:55 AM, li-zheming wrote: > hi all: > when create user, you can set user password. You can set password as > a simple word 'a'. the > password is too simple but not limit. if someone want to steal your > password, it is so easily(such as exhaustion). > I consider that it must be limited when set password, like this: > 1. inlcude uppper and lower letters > 2. include nums > 3. include particular symbol,such as '_','&' > 4. the length>8 > administor can set the password rule. > > I want to provide a BP about this issue. can you give me some advice or > ideas?? > thanks! > > lizheming > > I'd prefer it if we didn't reinvent this wheel ourselves. If customers need to enforce password strength, expiration, history, user lockout, etc, then they should store users in an LDAP directory that supports these things and configure Keystone to use that. - Brant ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack][keystone] Is the user password too simple?
On Mon, Dec 30, 2013 at 11:15:06PM +0800, Thomas Goirand wrote: > On 12/30/2013 02:55 PM, li-zheming wrote: > > hi all: > > when create user, you can set user password. You can set password > > as a simple word 'a'. the > > password is too simple but not limit. if someone want to steal your > > password, it is so easily(such as exhaustion). > > I consider that it must be limited when set password, like this: > > 1. inlcude uppper and lower letters > > 2. include nums > > 3. include particular symbol,such as '_','&' > > 4. the length>8 > > administor can set the password rule. > > Hi, > > If you want to check for password complexity, do it the correct way. I'm > used to *always* use a password generator that uses only lower case, and > removes chars that can be confused with one another, so that you don't > have l and 1, or O and 0 in my passwords. Yet, they are high entropy and > long. If you just force me to add upper+lower case and add symbols, then > you are just annoying me even with my very good passwords. > > > I want to provide a BP about this issue. can you give me some advice > > or ideas?? > > Please use a password entropy function. Something like this: > https://pypi.python.org/pypi/cracklib > > Thomas > > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev I agree with this, if there is a check, it should check general safety, rather than expect to fulfill all conditions, if i have a 50 letters pass (and i do, using full sentences is quite convenient), don't force me to have numbers or symbols in it, it's already way harder to crack than an 8 chars word with a capital, a number, and a non-alphanumerical char. -- Gabriel Pettier Software Engineer at CloudWatt.com 06 85 10 36 34 ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack][keystone] Is the user password too simple?
On 2013-12-30 23:15:06 +0800 (+0800), Thomas Goirand wrote: > On 12/30/2013 02:55 PM, li-zheming wrote: > [...] > > I consider that it must be limited when set password, like this: > > 1. inlcude uppper and lower letters > > 2. include nums > > 3. include particular symbol,such as '_','&' > > 4. the length>8 > > administor can set the password rule. [...] > If you just force me to add upper+lower case and add symbols, then > you are just annoying me even with my very good passwords. [...] I think cracklib (or similar) integration as an optional rule, along with those listed above, would be great... I'd even say docs should recommend doing it "the right way" with an entropy checker rule rather than those other arbitrary checks. However, support for them is still useful because some operators very well may be hamstrung by cargo-cult "best practices" requirements like that baked into their corporate security policies (so they'll need to be able to support such schemes no matter how backward it might seem). -- Jeremy Stanley ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack][keystone] Is the user password too simple?
On 12/30/2013 02:55 PM, li-zheming wrote: > hi all: > when create user, you can set user password. You can set password > as a simple word 'a'. the > password is too simple but not limit. if someone want to steal your > password, it is so easily(such as exhaustion). > I consider that it must be limited when set password, like this: > 1. inlcude uppper and lower letters > 2. include nums > 3. include particular symbol,such as '_','&' > 4. the length>8 > administor can set the password rule. Hi, If you want to check for password complexity, do it the correct way. I'm used to *always* use a password generator that uses only lower case, and removes chars that can be confused with one another, so that you don't have l and 1, or O and 0 in my passwords. Yet, they are high entropy and long. If you just force me to add upper+lower case and add symbols, then you are just annoying me even with my very good passwords. > I want to provide a BP about this issue. can you give me some advice > or ideas?? Please use a password entropy function. Something like this: https://pypi.python.org/pypi/cracklib Thomas ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack][keystone] Is the user password too simple?
hi all: when create user, you can set user password. You can set password as a simple word 'a'. the password is too simple but not limit. if someone want to steal your password, it is so easily(such as exhaustion). I consider that it must be limited when set password, like this: 1. inlcude uppper and lower letters 2. include nums 3. include particular symbol,such as '_','&' 4. the length>8 administor can set the password rule. I want to provide a BP about this issue. can you give me some advice or ideas?? thanks! lizheming ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev