On Tue, May 10, 2011 at 12:22:47PM +0200, Johannes Renner wrote: > Hello, > > I was recently investigating in hardening security in the spacewalk web-app by > introducing password strength verification for new passwords, which means > forcing > the users to choose passwords with a certain strength. It currently seems to > me as > if there are two options that I listed below with my personal pros(+) and > cons(-). > So, which implementation would you prefer and why? > > 1. Write a custom password strength verificator in Java (like in e.g. ESAPI > [1]): > > + not hard to implement (at least when omitting dictionary lookups) > + requirements can be made configurable, e.g. password min/max length > - no dictionary lookups > > 2. Write a wrapper around the 'cracklib-check' binary: > > + backend is a well known and tested library (cracklib) > + comes with an integrated dictionary lookup > - introduces a dependency on a 3rd party binary > - strength requirements seem to be not configurable > > Greetings, > Johannes > > [1] > http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Authenticator.html#verifyPasswordStrength%28java.lang.String,%20java.lang.String,%20org.owasp.esapi.User%29
Hi, Not spacewalk related but I ran into a similar problem when writing some user management scripts in Perl. In the end I used the cracklib binaries (well, Crypt::Cracklib) for the dictionary check but wrapped them in a module containing reimplementations of the "extra" strength tests in pam_cracklib. This took a day or two but gave me the configurability I needed and I guess is a combination of 1) and 2) above. If you'd like the perl module as an example just let me know. pam_cracklib's extra checks (palindromes etc) are not at all complex to implement in any language. Regards, -- David Nutter Tel: +44 (0)131 650 4888 BioSS, JCMB, King's Buildings, Mayfield Rd, EH9 3JZ. Scotland, UK Biomathematics and Statistics Scotland (BioSS) is formally part of The James Hutton Institute (JHI), a registered Scottish charity No. SC041796 and a company limited by guarantee No. SC374831 _______________________________________________ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
