[jboss-as7-dev] Relaxing password requirements for add-user script?

Andrig Miller anmiller at redhat.com
Wed Oct 10 13:19:22 EDT 2012 

We might run afoul of PCI and SOX requirements for customers with that kind of option.

Personally, I think just having some text that says the password requirements when you create a user, to make it more usable is what we should do, and not relax the requirements.

Andy

----- Original Message -----
> From: "Jason Greene" <jason.greene at redhat.com>
> To: "Darran Lofthouse" <darran.lofthouse at jboss.com>
> Cc: jboss-as7-dev at lists.jboss.org
> Sent: Wednesday, October 10, 2012 7:46:54 AM
> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user	script?
> 
> Maybe we should allow a --force option, which bypasses that stuff?
> 
> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
> <darran.lofthouse at jboss.com> wrote:
> 
> > Agreed, a prompt would help so a feature request would be welcome.
> > 
> > This will be an interesting contributor task I think as we would
> > need to
> > be mapping between the configured policy and appropriate log
> > messages.
> > 
> > Regards,
> > Darran Lofthouse.
> > 
> > 
> > On 10/10/2012 09:02 AM, Stuart Douglas wrote:
> >> Also, at the very least this should tell you the requirements
> >> before you
> >> have to go through the trial and error process to figure out what
> >> they are.
> >> 
> >> Stuart
> >> 
> >> Jaikiran Pai wrote:
> >>> I think it's been a while since I used the add-user script to add
> >>> application users. Turns out the password for the new user is now
> >>> checked for strength and the rules are a bit annoying [1], at
> >>> least for
> >>> me. As a developer, I just want to test a scenario for EJB
> >>> invocations.
> >>> I tried using "test" as a password and it failed with "too few
> >>> characters". Then I tried "test12345" failed again with "your
> >>> password
> >>> should have combination of upper case, lower case, ...". I never
> >>> have
> >>> understood this specific requirement of passwords being forced to
> >>> be of
> >>> certain type (many sites do it). So, would it be possible to
> >>> somehow
> >>> relax this requirement?
> >>> 
> >>> I'm not a security expert, but is this "your password has to have
> >>> upper
> >>> case, lower case, digit, special char" requirement really worth
> >>> it in a
> >>> real application?
> >>> 
> >>> 
> >>> [1]
> >>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
> >>> 
> >>> -Jaikiran
> >>> _______________________________________________
> >>> jboss-as7-dev mailing list
> >>> jboss-as7-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >> _______________________________________________
> >> jboss-as7-dev mailing list
> >> jboss-as7-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >> 
> > _______________________________________________
> > jboss-as7-dev mailing list
> > jboss-as7-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> 
> 
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>

More information about the jboss-as7-dev mailing list