[jboss-as7-dev] Relaxing password requirements for add-user script?

Andrig Miller anmiller at redhat.com
Wed Oct 10 15:26:18 EDT 2012 

Yes, but having done PCI compliance with JBoss in the past, you have to provide process based workarounds for the missing things, or deficiencies in the platform.  With the platform actually having this, it will make compliance easier for customers to attain.

Andy

----- Original Message -----
> From: "Brian Stansberry" <brian.stansberry at redhat.com>
> To: jboss-as7-dev at lists.jboss.org
> Sent: Wednesday, October 10, 2012 11:45:39 AM
> Subject: Re: [jboss-as7-dev] Relaxing password requirements for	add-user	script?
> 
> Interesting. This enforcing of password rules is new in AS master;
> AFAIK
> we've never had this kind of thing before.
> 
> On 10/10/12 12:19 PM, Andrig Miller wrote:
> > We might run afoul of PCI and SOX requirements for customers with
> > that kind of option.
> >
> > Personally, I think just having some text that says the password
> > requirements when you create a user, to make it more usable is
> > what we should do, and not relax the requirements.
> >
> > Andy
> >
> > ----- Original Message -----
> >> From: "Jason Greene" <jason.greene at redhat.com>
> >> To: "Darran Lofthouse" <darran.lofthouse at jboss.com>
> >> Cc: jboss-as7-dev at lists.jboss.org
> >> Sent: Wednesday, October 10, 2012 7:46:54 AM
> >> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
> >> add-user	script?
> >>
> >> Maybe we should allow a --force option, which bypasses that stuff?
> >>
> >> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
> >> <darran.lofthouse at jboss.com> wrote:
> >>
> >>> Agreed, a prompt would help so a feature request would be
> >>> welcome.
> >>>
> >>> This will be an interesting contributor task I think as we would
> >>> need to
> >>> be mapping between the configured policy and appropriate log
> >>> messages.
> >>>
> >>> Regards,
> >>> Darran Lofthouse.
> >>>
> >>>
> >>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
> >>>> Also, at the very least this should tell you the requirements
> >>>> before you
> >>>> have to go through the trial and error process to figure out
> >>>> what
> >>>> they are.
> >>>>
> >>>> Stuart
> >>>>
> >>>> Jaikiran Pai wrote:
> >>>>> I think it's been a while since I used the add-user script to
> >>>>> add
> >>>>> application users. Turns out the password for the new user is
> >>>>> now
> >>>>> checked for strength and the rules are a bit annoying [1], at
> >>>>> least for
> >>>>> me. As a developer, I just want to test a scenario for EJB
> >>>>> invocations.
> >>>>> I tried using "test" as a password and it failed with "too few
> >>>>> characters". Then I tried "test12345" failed again with "your
> >>>>> password
> >>>>> should have combination of upper case, lower case, ...". I
> >>>>> never
> >>>>> have
> >>>>> understood this specific requirement of passwords being forced
> >>>>> to
> >>>>> be of
> >>>>> certain type (many sites do it). So, would it be possible to
> >>>>> somehow
> >>>>> relax this requirement?
> >>>>>
> >>>>> I'm not a security expert, but is this "your password has to
> >>>>> have
> >>>>> upper
> >>>>> case, lower case, digit, special char" requirement really worth
> >>>>> it in a
> >>>>> real application?
> >>>>>
> >>>>>
> >>>>> [1]
> >>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
> >>>>>
> >>>>> -Jaikiran
> >>>>> _______________________________________________
> >>>>> jboss-as7-dev mailing list
> >>>>> jboss-as7-dev at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>> _______________________________________________
> >>>> jboss-as7-dev mailing list
> >>>> jboss-as7-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>
> >>> _______________________________________________
> >>> jboss-as7-dev mailing list
> >>> jboss-as7-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>
> >>
> >> _______________________________________________
> >> jboss-as7-dev mailing list
> >> jboss-as7-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>
> > _______________________________________________
> > jboss-as7-dev mailing list
> > jboss-as7-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >
> 
> 
> --
> Brian Stansberry
> Principal Software Engineer
> JBoss by Red Hat
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>

More information about the jboss-as7-dev mailing list