On Wednesday 10 October 2012 03:20 PM, Darran Lofthouse wrote:
Would also add for those working on this day to day there is nothing
to stop you backing up your properties files and just copying them
back in after a build - it is not really necessary to be running
through the add user process.
That's a good point! I'll happily use this trick.
-Jaikiran
Regards,
Darran Lofthouse.
On 10/10/2012 10:47 AM, Darran Lofthouse wrote:
> On 10/10/2012 08:23 AM, Jaikiran Pai wrote:
>> I never have
>> understood this specific requirement of passwords being forced to be of
>> certain type (many sites do it).
>
> The reason for the requirement is to reduce the effectiveness of
> dictionary based attacks by stopping the users from using commonly used
> words for their password.
>
> For Digest authentication which we are using by default the password is
> not transmitted in the clear - however a hash is transmitted and apart
> from the password used to generate the hash the rest of the information
> used to generate the hash is also visible.
>
> At this point if you want to discover the users password you can try
> brute force regenerating the hashes by trying out one candidate password
> after another - passwords could be anything so this is a big task,
> however if most users are just going to pick a normal word or a name or
> something common like that you have a much smaller sample to use to
> discover their password by trying each entry in the smaller sample.
>
> This brute force discovery of a password occurs offline and only
> requires the hashes from the captured packets so we can't detect that it
> is happening so instead a policy is in place to ensure more complex
> passwords are chosen - this way the brute force discovery has a much
> larger sample of passwords.
>
> Ideally SSL/TLS would still be enabled for these connections which would
> prevent even the hashes being seen but compared to BASIC authentication
> where capturing one packet gets you the users password this is a step up
> as an intermediate step.
>
>> I'm not a security expert, but is this "your password has to have upper
>> case, lower case, digit, special char" requirement really worth it in a
>> real application?
>>
>>
>> [1]
>>
https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&pa...
>>
>>
>> -Jaikiran
>> _______________________________________________
>> jboss-as7-dev mailing list
>> jboss-as7-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>