** Description changed:
Even if libpam-cracklib installed, lightdm accepts too short password.
This might be a security issue because user can ignore password policy
defined by root.
How to reproduce:
- 1. install libpam-cracklib
- 2. create user1 with password foo
- 3. expire
The easiest workaround is using other display manager like gdm. But a
possible workaround is using libpam-passwdqc(universe) instead of
libpam-cracklib(main). With enforce=everyone(default), it can reject a
password which does not meet requirements even if changed by root.
But it cannot cover all
There is no special/secret way to reproduce this, i.e. the procedure is
quite normal.
I will mark this issue as public.
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
** Changed in: lightdm (Ubuntu)
Status: New = Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1128226
Title:
lightdm accepts weak password although pam says BAD PASSWORD
To manage