On Fri, Oct 14, 2011 at 06:34:33AM -0700, Rod MacPherson wrote: > Hi, I just read about the new fedora project password change, and the thing > that caught my attention is your interesting password complexity rules. 9 > char if using upper, lower, numbers and special chars, 20 chars otherwise. > > I have never seen this type of complexity rule in action before, so the first > thing that sprung to my mind is "what PAM plugins are they using to > accomplish this, and where can I get that?" > > I'm sure other security professionals would love to try this, but the > standard modules in most Linux distros only allow very simple min length, min > complexity settings, not an if complexity >= this, min_length == min1, else > min_length == min2 > > I'd like to do a write-up about this for infosecisland.com which can include > an interview with someone at fedoraproject if you like, but doesn't have to. > Unfortunately, (from a reuse standpoint; perhaps fortunately from a coding standpoint :-) pam is not involved here. We manage our accounts through a web application so changing passwords goes through the web application. We simply coded the new checks in there.
The majority of the code involved with strength checking is here:: http://git.fedorahosted.org/git?p=fas.git;a=blob;f=fas/validators.py;h=21910ca0c87a8d2d9e406f74434860fe82b8f510;hb=HEAD#l231 The paper with recommendations that we based the rules on was here: http://staff.science.uva.nl/~delaat/sne-2009-2010/p34/report.pdf And finally, our ticket about implementing this is here: https://fedorahosted.org/fedora-infrastructure/ticket/2804 -Toshio
pgpEnrCOgMulu.pgp
Description: PGP signature
-- websites mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/websites
