On Wednesday 10 October 2012 03:20 PM, Darran Lofthouse wrote:
Would also add for those working on this day to day there is nothing
to stop you backing up your properties files and just copying them
back in after a build - it is not really necessary to be running
through the add user process.
That's a good point! I'll happily use this trick.
On 10/10/2012 10:47 AM, Darran Lofthouse wrote:
> On 10/10/2012 08:23 AM, Jaikiran Pai wrote:
>> I never have
>> understood this specific requirement of passwords being forced to be of
>> certain type (many sites do it).
> The reason for the requirement is to reduce the effectiveness of
> dictionary based attacks by stopping the users from using commonly used
> words for their password.
> For Digest authentication which we are using by default the password is
> not transmitted in the clear - however a hash is transmitted and apart
> from the password used to generate the hash the rest of the information
> used to generate the hash is also visible.
> At this point if you want to discover the users password you can try
> brute force regenerating the hashes by trying out one candidate password
> after another - passwords could be anything so this is a big task,
> however if most users are just going to pick a normal word or a name or
> something common like that you have a much smaller sample to use to
> discover their password by trying each entry in the smaller sample.
> This brute force discovery of a password occurs offline and only
> requires the hashes from the captured packets so we can't detect that it
> is happening so instead a policy is in place to ensure more complex
> passwords are chosen - this way the brute force discovery has a much
> larger sample of passwords.
> Ideally SSL/TLS would still be enabled for these connections which would
> prevent even the hashes being seen but compared to BASIC authentication
> where capturing one packet gets you the users password this is a step up
> as an intermediate step.
>> I'm not a security expert, but is this "your password has to have upper
>> case, lower case, digit, special char" requirement really worth it in a
>> real application?
>> jboss-as7-dev mailing list
> jboss-as7-dev mailing list