[jboss-as7-dev] Relaxing password requirements for add-user script?
Jason Greene
jgreene at redhat.com
Mon Oct 15 09:56:32 EDT 2012
Since the security store uses the realm name in the hash, which acts like a salt, it is a step beyond the LinkedIn situation.
Sent from my iPhone
On Oct 15, 2012, at 8:36 AM, Anil Saldhana <Anil.Saldhana at redhat.com> wrote:
> Darran,
> I have been thinking about the properties file strategy. I support
> your thinking. But I want to put forward some thoughts:
>
> From the LinkedIn password fiasco, the general industry philosophy is
> that passwords that are just hashed are prone to dictionary/brute force
> attacks, irrespective of how strong the password is. There is a
> necessity to introduce a salt per password.
> Introduction of a salt per password is just going to make the usability
> aspects challenging with the properties file strategy.
>
> We should consider the PicketLink IDM work for storing passwords. The
> password management becomes a responsibility of the IDM framework.
> Discussion on this framework is happening in the security-dev mailing list.
>
> Regards,
> Anil
>
> On 10/11/2012 09:09 AM, Andrig Miller wrote:
>>
>> ----- Original Message -----
>>> From: "Darran Lofthouse" <darran.lofthouse at jboss.com>
>>> To: "Andrig Miller" <anmiller at redhat.com>
>>> Cc: "Jason Greene" <jason.greene at redhat.com>, jboss-as7-dev at lists.jboss.org
>>> Sent: Thursday, October 11, 2012 3:01:57 AM
>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>>>
>>> Hi Andy,
>>>
>>> It may be missing at the moment but this complexity check was
>>> supposed
>>> to have a modifiable policy file that the administrator could update
>>> to
>>> specify the rules they really want. How would any auditors consider
>>> that?
>> That, in my opinion, would be fine. The only issue would be how you protect that policy file from be tampered with, but this is true of all configuration.
>>
>>> To me the modifying of a policy to weaken it is a deliberate act by
>>> an
>>> administrator, that same administrator also has the capability to
>>> reconfigure the server to use BASIC authentication or store the
>>> passwords in plain text instead of pre-hashed.
>>>
>>> However the --force option does feel too easy for someone to use and
>>> then forget they forced through a weak password just to get their
>>> production server online.
>> Agreed.
>>
>> Andy
>>
>>> Regards,
>>> Darran Lofthouse.
>>>
>>>
>>> On 10/10/2012 08:29 PM, Andrig Miller wrote:
>>>> Not to my knowledge. My point, is whenever you give have these
>>>> allowances, you make the customer have to prove to the auditors
>>>> that you are not using them.
>>>>
>>>> Auditors love these kinds of things, because it gives them
>>>> something to poke into. More billable hours ;-)
>>>>
>>>> Andy
>>>>
>>>> ----- Original Message -----
>>>>> From: "Jason Greene" <jason.greene at redhat.com>
>>>>> To: "Brian Stansberry" <brian.stansberry at redhat.com>
>>>>> Cc: jboss-as7-dev at lists.jboss.org
>>>>> Sent: Wednesday, October 10, 2012 1:22:32 PM
>>>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
>>>>> add-user script?
>>>>>
>>>>> As someone mentioned earlier RHEL lets you set a bad password (if
>>>>> you
>>>>> agree to it). Is there a special compliance distro of RHEL?
>>>>> On Oct 10, 2012, at 12:45 PM, Brian Stansberry
>>>>> <brian.stansberry at redhat.com> wrote:
>>>>>
>>>>>> Interesting. This enforcing of password rules is new in AS
>>>>>> master;
>>>>>> AFAIK
>>>>>> we've never had this kind of thing before.
>>>>>>
>>>>>> On 10/10/12 12:19 PM, Andrig Miller wrote:
>>>>>>> We might run afoul of PCI and SOX requirements for customers
>>>>>>> with
>>>>>>> that kind of option.
>>>>>>>
>>>>>>> Personally, I think just having some text that says the password
>>>>>>> requirements when you create a user, to make it more usable is
>>>>>>> what we should do, and not relax the requirements.
>>>>>>>
>>>>>>> Andy
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Jason Greene" <jason.greene at redhat.com>
>>>>>>>> To: "Darran Lofthouse" <darran.lofthouse at jboss.com>
>>>>>>>> Cc: jboss-as7-dev at lists.jboss.org
>>>>>>>> Sent: Wednesday, October 10, 2012 7:46:54 AM
>>>>>>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
>>>>>>>> add-user script?
>>>>>>>>
>>>>>>>> Maybe we should allow a --force option, which bypasses that
>>>>>>>> stuff?
>>>>>>>>
>>>>>>>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
>>>>>>>> <darran.lofthouse at jboss.com> wrote:
>>>>>>>>
>>>>>>>>> Agreed, a prompt would help so a feature request would be
>>>>>>>>> welcome.
>>>>>>>>>
>>>>>>>>> This will be an interesting contributor task I think as we
>>>>>>>>> would
>>>>>>>>> need to
>>>>>>>>> be mapping between the configured policy and appropriate log
>>>>>>>>> messages.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Darran Lofthouse.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>>>>>>>>>> Also, at the very least this should tell you the requirements
>>>>>>>>>> before you
>>>>>>>>>> have to go through the trial and error process to figure out
>>>>>>>>>> what
>>>>>>>>>> they are.
>>>>>>>>>>
>>>>>>>>>> Stuart
>>>>>>>>>>
>>>>>>>>>> Jaikiran Pai wrote:
>>>>>>>>>>> I think it's been a while since I used the add-user script
>>>>>>>>>>> to
>>>>>>>>>>> add
>>>>>>>>>>> application users. Turns out the password for the new user
>>>>>>>>>>> is
>>>>>>>>>>> now
>>>>>>>>>>> checked for strength and the rules are a bit annoying [1],
>>>>>>>>>>> at
>>>>>>>>>>> least for
>>>>>>>>>>> me. As a developer, I just want to test a scenario for EJB
>>>>>>>>>>> invocations.
>>>>>>>>>>> I tried using "test" as a password and it failed with "too
>>>>>>>>>>> few
>>>>>>>>>>> characters". Then I tried "test12345" failed again with
>>>>>>>>>>> "your
>>>>>>>>>>> password
>>>>>>>>>>> should have combination of upper case, lower case, ...". I
>>>>>>>>>>> never
>>>>>>>>>>> have
>>>>>>>>>>> understood this specific requirement of passwords being
>>>>>>>>>>> forced
>>>>>>>>>>> to
>>>>>>>>>>> be of
>>>>>>>>>>> certain type (many sites do it). So, would it be possible to
>>>>>>>>>>> somehow
>>>>>>>>>>> relax this requirement?
>>>>>>>>>>>
>>>>>>>>>>> I'm not a security expert, but is this "your password has to
>>>>>>>>>>> have
>>>>>>>>>>> upper
>>>>>>>>>>> case, lower case, digit, special char" requirement really
>>>>>>>>>>> worth
>>>>>>>>>>> it in a
>>>>>>>>>>> real application?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [1]
>>>>>>>>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>>>>>>>>>>
>>>>>>>>>>> -Jaikiran
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> jboss-as7-dev mailing list
>>>>>>>>>>> jboss-as7-dev at lists.jboss.org
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>>>> _______________________________________________
>>>>>>>>>> jboss-as7-dev mailing list
>>>>>>>>>> jboss-as7-dev at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>>> _______________________________________________
>>>>>>>>> jboss-as7-dev mailing list
>>>>>>>>> jboss-as7-dev at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> jboss-as7-dev mailing list
>>>>>>>> jboss-as7-dev at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>> _______________________________________________
>>>>>>> jboss-as7-dev mailing list
>>>>>>> jboss-as7-dev at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>
>>>>>> --
>>>>>> Brian Stansberry
>>>>>> Principal Software Engineer
>>>>>> JBoss by Red Hat
> _______________________________________________
> jboss-as7-dev mailing list
> jboss-as7-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
More information about the jboss-as7-dev
mailing list