[jboss-as7-dev] Relaxing password requirements for add-user script?

Jason Greene jason.greene at redhat.com
Wed Oct 10 15:22:32 EDT 2012


As someone mentioned earlier RHEL lets you set a bad password (if you agree to it). Is there a special compliance distro of RHEL?
On Oct 10, 2012, at 12:45 PM, Brian Stansberry <brian.stansberry at redhat.com> wrote:

> Interesting. This enforcing of password rules is new in AS master; AFAIK 
> we've never had this kind of thing before.
> 
> On 10/10/12 12:19 PM, Andrig Miller wrote:
>> We might run afoul of PCI and SOX requirements for customers with that kind of option.
>> 
>> Personally, I think just having some text that says the password requirements when you create a user, to make it more usable is what we should do, and not relax the requirements.
>> 
>> Andy
>> 
>> ----- Original Message -----
>>> From: "Jason Greene" <jason.greene at redhat.com>
>>> To: "Darran Lofthouse" <darran.lofthouse at jboss.com>
>>> Cc: jboss-as7-dev at lists.jboss.org
>>> Sent: Wednesday, October 10, 2012 7:46:54 AM
>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user	script?
>>> 
>>> Maybe we should allow a --force option, which bypasses that stuff?
>>> 
>>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
>>> <darran.lofthouse at jboss.com> wrote:
>>> 
>>>> Agreed, a prompt would help so a feature request would be welcome.
>>>> 
>>>> This will be an interesting contributor task I think as we would
>>>> need to
>>>> be mapping between the configured policy and appropriate log
>>>> messages.
>>>> 
>>>> Regards,
>>>> Darran Lofthouse.
>>>> 
>>>> 
>>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>>>>> Also, at the very least this should tell you the requirements
>>>>> before you
>>>>> have to go through the trial and error process to figure out what
>>>>> they are.
>>>>> 
>>>>> Stuart
>>>>> 
>>>>> Jaikiran Pai wrote:
>>>>>> I think it's been a while since I used the add-user script to add
>>>>>> application users. Turns out the password for the new user is now
>>>>>> checked for strength and the rules are a bit annoying [1], at
>>>>>> least for
>>>>>> me. As a developer, I just want to test a scenario for EJB
>>>>>> invocations.
>>>>>> I tried using "test" as a password and it failed with "too few
>>>>>> characters". Then I tried "test12345" failed again with "your
>>>>>> password
>>>>>> should have combination of upper case, lower case, ...". I never
>>>>>> have
>>>>>> understood this specific requirement of passwords being forced to
>>>>>> be of
>>>>>> certain type (many sites do it). So, would it be possible to
>>>>>> somehow
>>>>>> relax this requirement?
>>>>>> 
>>>>>> I'm not a security expert, but is this "your password has to have
>>>>>> upper
>>>>>> case, lower case, digit, special char" requirement really worth
>>>>>> it in a
>>>>>> real application?
>>>>>> 
>>>>>> 
>>>>>> [1]
>>>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>>>>> 
>>>>>> -Jaikiran
>>>>>> _______________________________________________
>>>>>> jboss-as7-dev mailing list
>>>>>> jboss-as7-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>> _______________________________________________
>>>>> jboss-as7-dev mailing list
>>>>> jboss-as7-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>> 
>>>> _______________________________________________
>>>> jboss-as7-dev mailing list
>>>> jboss-as7-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>> 
>>> 
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> jboss-as7-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>> 
>> _______________________________________________
>> jboss-as7-dev mailing list
>> jboss-as7-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>> 
> 
> 
> -- 
> Brian Stansberry
> Principal Software Engineer
> JBoss by Red Hat
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev




More information about the jboss-as7-dev mailing list