On Tue, May 10, 2011 at 12:22:47PM +0200, Johannes Renner wrote:
Hello,
I was recently investigating in hardening security in the spacewalk web-app by
introducing password strength verification for new passwords, which means
forcing
the users to choose passwords with a certain strength. It currently seems to
me as
if there are two options that I listed below with my personal pros(+) and
cons(-).
So, which implementation would you prefer and why?
1. Write a custom password strength verificator in Java (like in e.g. ESAPI
[1]):
+ not hard to implement (at least when omitting dictionary lookups)
+ requirements can be made configurable, e.g. password min/max length
- no dictionary lookups
2. Write a wrapper around the 'cracklib-check' binary:
+ backend is a well known and tested library (cracklib)
+ comes with an integrated dictionary lookup
- introduces a dependency on a 3rd party binary
- strength requirements seem to be not configurable
Greetings,
Johannes
[1]
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Authenticator.html#verifyPasswordStrength%28java.lang.String,%20java.lang.String,%20org.owasp.esapi.User%29
Hi,
Not spacewalk related but I ran into a similar problem when writing
some user management scripts in Perl. In the end I used the cracklib
binaries (well, Crypt::Cracklib) for the dictionary check but wrapped
them in a module containing reimplementations of the extra strength
tests in pam_cracklib. This took a day or two but gave me the
configurability I needed and I guess is a combination of 1) and 2)
above.
If you'd like the perl module as an example just let me
know. pam_cracklib's extra checks (palindromes etc) are not at all
complex to implement in any language.
Regards,
--
David NutterTel: +44 (0)131 650 4888
BioSS, JCMB, King's Buildings, Mayfield Rd, EH9 3JZ. Scotland, UK
Biomathematics and Statistics Scotland (BioSS) is formally part of The
James Hutton Institute (JHI), a registered Scottish charity No. SC041796
and a company limited by guarantee No. SC374831
___
Spacewalk-devel mailing list
Spacewalk-devel@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-devel