On Tue, May 10, 2011 at 12:22:47PM +0200, Johannes Renner wrote:
> Hello,
> I was recently investigating in hardening security in the spacewalk web-app by
> introducing password strength verification for new passwords, which means 
> forcing
> the users to choose passwords with a certain strength. It currently seems to 
> me as
> if there are two options that I listed below with my personal pros(+) and 
> cons(-).
> So, which implementation would you prefer and why?
> 1. Write a custom password strength verificator in Java (like in e.g. ESAPI 
> [1]):
> + not hard to implement (at least when omitting dictionary lookups)
> + requirements can be made configurable, e.g. password min/max length
> - no dictionary lookups
> 2. Write a wrapper around the 'cracklib-check' binary:
> + backend is a well known and tested library (cracklib)
> + comes with an integrated dictionary lookup
> - introduces a dependency on a 3rd party binary
> - strength requirements seem to be not configurable

Couldn't we use the password feature of PAM and thus use the standard
PAM modules for the strength requirements? It could then make it
possible to use any PAM module there exists -- pam_cracklib,
pam_passwdqc, length limits ...

Jan Pazdziora
Principal Software Engineer, Satellite Engineering, Red Hat

Spacewalk-devel mailing list

Reply via email to