Re: [Spacewalk-devel] Password Strength Verification

2011-05-10 Thread David Nutter 
On Tue, May 10, 2011 at 12:22:47PM +0200, Johannes Renner wrote:
 Hello,
 
 I was recently investigating in hardening security in the spacewalk web-app by
 introducing password strength verification for new passwords, which means 
 forcing
 the users to choose passwords with a certain strength. It currently seems to 
 me as
 if there are two options that I listed below with my personal pros(+) and 
 cons(-).
 So, which implementation would you prefer and why?
 
 1. Write a custom password strength verificator in Java (like in e.g. ESAPI 
 [1]):
 
 + not hard to implement (at least when omitting dictionary lookups)
 + requirements can be made configurable, e.g. password min/max length
 - no dictionary lookups
 
 2. Write a wrapper around the 'cracklib-check' binary:
 
 + backend is a well known and tested library (cracklib)
 + comes with an integrated dictionary lookup
 - introduces a dependency on a 3rd party binary
 - strength requirements seem to be not configurable
 
 Greetings,
 Johannes
 
 [1]
 http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Authenticator.html#verifyPasswordStrength%28java.lang.String,%20java.lang.String,%20org.owasp.esapi.User%29


Hi,

Not spacewalk related but I ran into a similar problem when writing
some user management scripts in Perl. In the end I used the cracklib
binaries (well, Crypt::Cracklib) for the dictionary check but wrapped
them in a module containing reimplementations of the extra strength
tests in pam_cracklib. This took a day or two but gave me the
configurability I needed and I guess is a combination of 1) and 2)
above.

If you'd like the perl module as an example just let me
know. pam_cracklib's extra checks (palindromes etc) are not at all
complex to implement in any language.

Regards,

-- 
David NutterTel: +44 (0)131 650 4888
BioSS, JCMB, King's Buildings, Mayfield Rd, EH9 3JZ. Scotland, UK 

Biomathematics and Statistics Scotland (BioSS) is formally part of The
James Hutton Institute (JHI), a registered Scottish charity No. SC041796
and a company limited by guarantee No. SC374831

___
Spacewalk-devel mailing list
Spacewalk-devel@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-devel

Re: [Spacewalk-devel] Password Strength Verification

2011-05-10 Thread Jan Pazdziora 
On Tue, May 10, 2011 at 12:22:47PM +0200, Johannes Renner wrote:
 Hello,
 
 I was recently investigating in hardening security in the spacewalk web-app by
 introducing password strength verification for new passwords, which means 
 forcing
 the users to choose passwords with a certain strength. It currently seems to 
 me as
 if there are two options that I listed below with my personal pros(+) and 
 cons(-).
 So, which implementation would you prefer and why?
 
 1. Write a custom password strength verificator in Java (like in e.g. ESAPI 
 [1]):
 
 + not hard to implement (at least when omitting dictionary lookups)
 + requirements can be made configurable, e.g. password min/max length
 - no dictionary lookups
 
 2. Write a wrapper around the 'cracklib-check' binary:
 
 + backend is a well known and tested library (cracklib)
 + comes with an integrated dictionary lookup
 - introduces a dependency on a 3rd party binary
 - strength requirements seem to be not configurable

Couldn't we use the password feature of PAM and thus use the standard
PAM modules for the strength requirements? It could then make it
possible to use any PAM module there exists -- pam_cracklib,
pam_passwdqc, length limits ...

-- 
Jan Pazdziora
Principal Software Engineer, Satellite Engineering, Red Hat

___
Spacewalk-devel mailing list
Spacewalk-devel@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-devel