We might run afoul of PCI and SOX requirements for customers with that kind of option.
Personally, I think just having some text that says the password requirements when you
create a user, to make it more usable is what we should do, and not relax the
----- Original Message -----
From: "Jason Greene" <jason.greene(a)redhat.com>
To: "Darran Lofthouse" <darran.lofthouse(a)jboss.com>
Sent: Wednesday, October 10, 2012 7:46:54 AM
Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
Maybe we should allow a --force option, which bypasses that stuff?
On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
> Agreed, a prompt would help so a feature request would be welcome.
> This will be an interesting contributor task I think as we would
> need to
> be mapping between the configured policy and appropriate log
> Darran Lofthouse.
> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>> Also, at the very least this should tell you the requirements
>> before you
>> have to go through the trial and error process to figure out what
>> they are.
>> Jaikiran Pai wrote:
>>> I think it's been a while since I used the add-user script to add
>>> application users. Turns out the password for the new user is now
>>> checked for strength and the rules are a bit annoying , at
>>> least for
>>> me. As a developer, I just want to test a scenario for EJB
>>> I tried using "test" as a password and it failed with "too
>>> characters". Then I tried "test12345" failed again with
>>> should have combination of upper case, lower case, ...". I never
>>> understood this specific requirement of passwords being forced to
>>> be of
>>> certain type (many sites do it). So, would it be possible to
>>> relax this requirement?
>>> I'm not a security expert, but is this "your password has to have
>>> case, lower case, digit, special char" requirement really worth
>>> it in a
>>> real application?
>>> jboss-as7-dev mailing list
>> jboss-as7-dev mailing list
> jboss-as7-dev mailing list
jboss-as7-dev mailing list