The challenge is that an user may just copy the properties file from his
desktop to a production instance. So if the password is not strong at
the local developer desktop instance, there may be a situation where the
production console is running against a weak password.
On 10/10/2012 12:45 PM, Brian Stansberry wrote:
Interesting. This enforcing of password rules is new in AS master;
AFAIK
we've never had this kind of thing before.
On 10/10/12 12:19 PM, Andrig Miller wrote:
> We might run afoul of PCI and SOX requirements for customers with that kind of
option.
>
> Personally, I think just having some text that says the password requirements when
you create a user, to make it more usable is what we should do, and not relax the
requirements.
>
> Andy
>
> ----- Original Message -----
>> From: "Jason Greene" <jason.greene(a)redhat.com>
>> To: "Darran Lofthouse" <darran.lofthouse(a)jboss.com>
>> Cc: jboss-as7-dev(a)lists.jboss.org
>> Sent: Wednesday, October 10, 2012 7:46:54 AM
>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>>
>> Maybe we should allow a --force option, which bypasses that stuff?
>>
>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
>> <darran.lofthouse(a)jboss.com> wrote:
>>
>>> Agreed, a prompt would help so a feature request would be welcome.
>>>
>>> This will be an interesting contributor task I think as we would
>>> need to
>>> be mapping between the configured policy and appropriate log
>>> messages.
>>>
>>> Regards,
>>> Darran Lofthouse.
>>>
>>>
>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>>>> Also, at the very least this should tell you the requirements
>>>> before you
>>>> have to go through the trial and error process to figure out what
>>>> they are.
>>>>
>>>> Stuart
>>>>
>>>> Jaikiran Pai wrote:
>>>>> I think it's been a while since I used the add-user script to
add
>>>>> application users. Turns out the password for the new user is now
>>>>> checked for strength and the rules are a bit annoying [1], at
>>>>> least for
>>>>> me. As a developer, I just want to test a scenario for EJB
>>>>> invocations.
>>>>> I tried using "test" as a password and it failed with
"too few
>>>>> characters". Then I tried "test12345" failed again
with "your
>>>>> password
>>>>> should have combination of upper case, lower case, ...". I
never
>>>>> have
>>>>> understood this specific requirement of passwords being forced to
>>>>> be of
>>>>> certain type (many sites do it). So, would it be possible to
>>>>> somehow
>>>>> relax this requirement?
>>>>>
>>>>> I'm not a security expert, but is this "your password has to
have
>>>>> upper
>>>>> case, lower case, digit, special char" requirement really worth
>>>>> it in a
>>>>> real application?
>>>>>
>>>>>
>>>>> [1]
>>>>>
https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&pa...
>>>>>
>>>>> -Jaikiran
>>>>> ___________________________