Re: [jboss-as7-dev] Relaxing password requirements for add-user script?

From: "Brian Stansberry" <brian.stansberry(a)redhat.com&gt; To: jboss-as7-dev(a)lists.jboss.org Sent: Wednesday, October 10, 2012 11:45:39 AM Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script? Interesting. This enforcing of password rules is new in AS master; AFAIK we've never had this kind of thing before. On 10/10/12 12:19 PM, Andrig Miller wrote: > We might run afoul of PCI and SOX requirements for customers with > that kind of option. > > Personally, I think just having some text that says the password > requirements when you create a user, to make it more usable is > what we should do, and not relax the requirements. > > Andy > > ----- Original Message ----- >> From: "Jason Greene" <jason.greene(a)redhat.com&gt; >> To: "Darran Lofthouse" <darran.lofthouse(a)jboss.com&gt; >> Cc: jboss-as7-dev(a)lists.jboss.org >> Sent: Wednesday, October 10, 2012 7:46:54 AM >> Subject: Re: [jboss-as7-dev] Relaxing password requirements for >> add-user script? >> >> Maybe we should allow a --force option, which bypasses that stuff? >> >> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse >> <darran.lofthouse(a)jboss.com&gt; wrote: >> >>> Agreed, a prompt would help so a feature request would be >>> welcome. >>> >>> This will be an interesting contributor task I think as we would >>> need to >>> be mapping between the configured policy and appropriate log >>> messages. >>> >>> Regards, >>> Darran Lofthouse. >>> >>> >>> On 10/10/2012 09:02 AM, Stuart Douglas wrote: >>>> Also, at the very least this should tell you the requirements >>>> before you >>>> have to go through the trial and error process to figure out >>>> what >>>> they are. >>>> >>>> Stuart >>>> >>>> Jaikiran Pai wrote: >>>>> I think it's been a while since I used the add-user script to >>>>> add >>>>> application users. Turns out the password for the new user is >>>>> now >>>>> checked for strength and the rules are a bit annoying [1], at >>>>> least for >>>>> me. As a developer, I just want to test a scenario for EJB >>>>> invocations. >>>>> I tried using "test" as a password and it failed with "too few >>>>> characters". Then I tried "test12345" failed again with "your >>>>> password >>>>> should have combination of upper case, lower case, ...". I >>>>> never >>>>> have >>>>> understood this specific requirement of passwords being forced >>>>> to >>>>> be of >>>>> certain type (many sites do it). So, would it be possible to >>>>> somehow >>>>> relax this requirement? >>>>> >>>>> I'm not a security expert, but is this "your password has to >>>>> have >>>>> upper >>>>> case, lower case, digit, special char" requirement really worth >>>>> it in a >>>>> real application? >>>>> >>>>> >>>>> [1] >>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&pa... >>>>> >>>>> -Jaikiran >>>>> _______________________________________________ >>>>> jboss-as7-dev mailing list >>>>> jboss-as7-dev(a)lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev >>>> _______________________________________________ >>>> jboss-as7-dev mailing list >>>> jboss-as7-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev >>>> >>> _______________________________________________ >>> jboss-as7-dev mailing list >>> jboss-as7-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev >> >> >> _______________________________________________ >> jboss-as7-dev mailing list >> jboss-as7-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev >> > _______________________________________________ > jboss-as7-dev mailing list > jboss-as7-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/jboss-as7-dev > -- Brian Stansberry Principal Software Engineer JBoss by Red Hat _______________________________________________ jboss-as7-dev mailing list jboss-as7-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-as7-dev