Re: [jboss-as7-dev] Relaxing password requirements for add-user script?

We might run afoul of PCI and SOX requirements for customers with that kind of option. Personally, I think just having some text that says the password requirements when you create a user, to make it more usable is what we should do, and not relax the requirements. Andy ----- Original Message ----- > From: "Jason Greene" <jason.greene(a)redhat.com&gt; > To: "Darran Lofthouse" <darran.lofthouse(a)jboss.com&gt; > Cc: jboss-as7-dev(a)lists.jboss.org > Sent: Wednesday, October 10, 2012 7:46:54 AM > Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script? > > Maybe we should allow a --force option, which bypasses that stuff? > > On Oct 10, 2012, at 4:49 AM, Darran Lofthouse > <darran.lofthouse(a)jboss.com&gt; wrote: > >> Agreed, a prompt would help so a feature request would be welcome. >> >> This will be an interesting contributor task I think as we would >> need to >> be mapping between the configured policy and appropriate log >> messages. >> >> Regards, >> Darran Lofthouse. >> >> >> On 10/10/2012 09:02 AM, Stuart Douglas wrote: >>> Also, at the very least this should tell you the requirements >>> before you >>> have to go through the trial and error process to figure out what >>> they are. >>> >>> Stuart >>> >>> Jaikiran Pai wrote: >>>> I think it's been a while since I used the add-user script to add >>>> application users. Turns out the password for the new user is now >>>> checked for strength and the rules are a bit annoying [1], at >>>> least for >>>> me. As a developer, I just want to test a scenario for EJB >>>> invocations. >>>> I tried using "test" as a password and it failed with "too few >>>> characters". Then I tried "test12345" failed again with "your >>>> password >>>> should have combination of upper case, lower case, ...". I never >>>> have >>>> understood this specific requirement of passwords being forced to >>>> be of >>>> certain type (many sites do it). So, would it be possible to >>>> somehow >>>> relax this requirement? >>>> >>>> I'm not a security expert, but is this "your password has to have >>>> upper >>>> case, lower case, digit, special char" requirement really worth >>>> it in a >>>> real application? >>>> >>>> >>>> [1] >>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&pa... >>>> >>>> -Jaikiran >>>> _______________________________________________ >>>> jboss-as7-dev mailing list >>>> jboss-as7-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev >>> _______________________________________________ >>> jboss-as7-dev mailing list >>> jboss-as7-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev >>> >> _______________________________________________ >> jboss-as7-dev mailing list >> jboss-as7-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev > > > _______________________________________________ > jboss-as7-dev mailing list > jboss-as7-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/jboss-as7-dev > _______________________________________________ jboss-as7-dev mailing list jboss-as7-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-as7-dev