[jboss-as7-dev] Relaxing password requirements for add-user script?

Darran Lofthouse darran.lofthouse at jboss.com
Wed Oct 10 05:47:27 EDT 2012 

On 10/10/2012 08:23 AM, Jaikiran Pai wrote:
> I never have
> understood this specific requirement of passwords being forced to be of
> certain type (many sites do it).

The reason for the requirement is to reduce the effectiveness of 
dictionary based attacks by stopping the users from using commonly used 
words for their password.

For Digest authentication which we are using by default the password is 
not transmitted in the clear - however a hash is transmitted and apart 
from the password used to generate the hash the rest of the information 
used to generate the hash is also visible.

At this point if you want to discover the users password you can try 
brute force regenerating the hashes by trying out one candidate password 
after another - passwords could be anything so this is a big task, 
however if most users are just going to pick a normal word or a name or 
something common like that you have a much smaller sample to use to 
discover their password by trying each entry in the smaller sample.

This brute force discovery of a password occurs offline and only 
requires the hashes from the captured packets so we can't detect that it 
is happening so instead a policy is in place to ensure more complex 
passwords are chosen - this way the brute force discovery has a much 
larger sample of passwords.

Ideally SSL/TLS would still be enabled for these connections which would 
prevent even the hashes being seen but compared to BASIC authentication 
where capturing one packet gets you the users password this is a step up 
as an intermediate step.

> I'm not a security expert, but is this "your password has to have upper
> case, lower case, digit, special char" requirement really worth it in a
> real application?
>
>
> [1]
> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>
> -Jaikiran
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>

More information about the jboss-as7-dev mailing list