Relaxing password requirements for add-user script?

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Relaxing password requirements for add-user script?

Jaikiran Pai
I think it's been a while since I used the add-user script to add
application users. Turns out the password for the new user is now
checked for strength and the rules are a bit annoying [1], at least for
me. As a developer, I just want to test a scenario for EJB invocations.
I tried using "test" as a password and it failed with "too few
characters". Then I tried "test12345" failed again with "your password
should have combination of upper case, lower case, ...". I never have
understood this specific requirement of passwords being forced to be of
certain type (many sites do it). So, would it be possible to somehow
relax this requirement?

I'm not a security expert, but is this "your password has to have upper
case, lower case, digit, special char" requirement really worth it in a
real application?


[1]
https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165

-Jaikiran
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Stuart Douglas
Also, at the very least this should tell you the requirements before you
have to go through the trial and error process to figure out what they are.

Stuart

Jaikiran Pai wrote:

> I think it's been a while since I used the add-user script to add
> application users. Turns out the password for the new user is now
> checked for strength and the rules are a bit annoying [1], at least for
> me. As a developer, I just want to test a scenario for EJB invocations.
> I tried using "test" as a password and it failed with "too few
> characters". Then I tried "test12345" failed again with "your password
> should have combination of upper case, lower case, ...". I never have
> understood this specific requirement of passwords being forced to be of
> certain type (many sites do it). So, would it be possible to somehow
> relax this requirement?
>
> I'm not a security expert, but is this "your password has to have upper
> case, lower case, digit, special char" requirement really worth it in a
> real application?
>
>
> [1]
> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>
> -Jaikiran
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Darran Lofthouse
In reply to this post by Jaikiran Pai
On 10/10/2012 08:23 AM, Jaikiran Pai wrote:
> I never have
> understood this specific requirement of passwords being forced to be of
> certain type (many sites do it).

The reason for the requirement is to reduce the effectiveness of
dictionary based attacks by stopping the users from using commonly used
words for their password.

For Digest authentication which we are using by default the password is
not transmitted in the clear - however a hash is transmitted and apart
from the password used to generate the hash the rest of the information
used to generate the hash is also visible.

At this point if you want to discover the users password you can try
brute force regenerating the hashes by trying out one candidate password
after another - passwords could be anything so this is a big task,
however if most users are just going to pick a normal word or a name or
something common like that you have a much smaller sample to use to
discover their password by trying each entry in the smaller sample.

This brute force discovery of a password occurs offline and only
requires the hashes from the captured packets so we can't detect that it
is happening so instead a policy is in place to ensure more complex
passwords are chosen - this way the brute force discovery has a much
larger sample of passwords.

Ideally SSL/TLS would still be enabled for these connections which would
prevent even the hashes being seen but compared to BASIC authentication
where capturing one packet gets you the users password this is a step up
as an intermediate step.

> I'm not a security expert, but is this "your password has to have upper
> case, lower case, digit, special char" requirement really worth it in a
> real application?
>
>
> [1]
> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>
> -Jaikiran
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Darran Lofthouse
In reply to this post by Stuart Douglas
Agreed, a prompt would help so a feature request would be welcome.

This will be an interesting contributor task I think as we would need to
be mapping between the configured policy and appropriate log messages.

Regards,
Darran Lofthouse.


On 10/10/2012 09:02 AM, Stuart Douglas wrote:

> Also, at the very least this should tell you the requirements before you
> have to go through the trial and error process to figure out what they are.
>
> Stuart
>
> Jaikiran Pai wrote:
>> I think it's been a while since I used the add-user script to add
>> application users. Turns out the password for the new user is now
>> checked for strength and the rules are a bit annoying [1], at least for
>> me. As a developer, I just want to test a scenario for EJB invocations.
>> I tried using "test" as a password and it failed with "too few
>> characters". Then I tried "test12345" failed again with "your password
>> should have combination of upper case, lower case, ...". I never have
>> understood this specific requirement of passwords being forced to be of
>> certain type (many sites do it). So, would it be possible to somehow
>> relax this requirement?
>>
>> I'm not a security expert, but is this "your password has to have upper
>> case, lower case, digit, special char" requirement really worth it in a
>> real application?
>>
>>
>> [1]
>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>
>> -Jaikiran
>> _______________________________________________
>> jboss-as7-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Darran Lofthouse
In reply to this post by Darran Lofthouse
Would also add for those working on this day to day there is nothing to
stop you backing up your properties files and just copying them back in
after a build - it is not really necessary to be running through the add
user process.

Regards,
Darran Lofthouse.


On 10/10/2012 10:47 AM, Darran Lofthouse wrote:

> On 10/10/2012 08:23 AM, Jaikiran Pai wrote:
>> I never have
>> understood this specific requirement of passwords being forced to be of
>> certain type (many sites do it).
>
> The reason for the requirement is to reduce the effectiveness of
> dictionary based attacks by stopping the users from using commonly used
> words for their password.
>
> For Digest authentication which we are using by default the password is
> not transmitted in the clear - however a hash is transmitted and apart
> from the password used to generate the hash the rest of the information
> used to generate the hash is also visible.
>
> At this point if you want to discover the users password you can try
> brute force regenerating the hashes by trying out one candidate password
> after another - passwords could be anything so this is a big task,
> however if most users are just going to pick a normal word or a name or
> something common like that you have a much smaller sample to use to
> discover their password by trying each entry in the smaller sample.
>
> This brute force discovery of a password occurs offline and only
> requires the hashes from the captured packets so we can't detect that it
> is happening so instead a policy is in place to ensure more complex
> passwords are chosen - this way the brute force discovery has a much
> larger sample of passwords.
>
> Ideally SSL/TLS would still be enabled for these connections which would
> prevent even the hashes being seen but compared to BASIC authentication
> where capturing one packet gets you the users password this is a step up
> as an intermediate step.
>
>> I'm not a security expert, but is this "your password has to have upper
>> case, lower case, digit, special char" requirement really worth it in a
>> real application?
>>
>>
>> [1]
>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>
>> -Jaikiran
>> _______________________________________________
>> jboss-as7-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Jaikiran Pai
On Wednesday 10 October 2012 03:20 PM, Darran Lofthouse wrote:
> Would also add for those working on this day to day there is nothing
> to stop you backing up your properties files and just copying them
> back in after a build - it is not really necessary to be running
> through the add user process.
>
That's a good point! I'll happily use this trick.

-Jaikiran

> Regards,
> Darran Lofthouse.
>
>
> On 10/10/2012 10:47 AM, Darran Lofthouse wrote:
>> On 10/10/2012 08:23 AM, Jaikiran Pai wrote:
>>> I never have
>>> understood this specific requirement of passwords being forced to be of
>>> certain type (many sites do it).
>>
>> The reason for the requirement is to reduce the effectiveness of
>> dictionary based attacks by stopping the users from using commonly used
>> words for their password.
>>
>> For Digest authentication which we are using by default the password is
>> not transmitted in the clear - however a hash is transmitted and apart
>> from the password used to generate the hash the rest of the information
>> used to generate the hash is also visible.
>>
>> At this point if you want to discover the users password you can try
>> brute force regenerating the hashes by trying out one candidate password
>> after another - passwords could be anything so this is a big task,
>> however if most users are just going to pick a normal word or a name or
>> something common like that you have a much smaller sample to use to
>> discover their password by trying each entry in the smaller sample.
>>
>> This brute force discovery of a password occurs offline and only
>> requires the hashes from the captured packets so we can't detect that it
>> is happening so instead a policy is in place to ensure more complex
>> passwords are chosen - this way the brute force discovery has a much
>> larger sample of passwords.
>>
>> Ideally SSL/TLS would still be enabled for these connections which would
>> prevent even the hashes being seen but compared to BASIC authentication
>> where capturing one packet gets you the users password this is a step up
>> as an intermediate step.
>>
>>> I'm not a security expert, but is this "your password has to have upper
>>> case, lower case, digit, special char" requirement really worth it in a
>>> real application?
>>>
>>>
>>> [1]
>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165 
>>>
>>>
>>> -Jaikiran
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> [hidden email]
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>
>> _______________________________________________
>> jboss-as7-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>

_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

jtgreene
Administrator
In reply to this post by Darran Lofthouse
Maybe we should allow a --force option, which bypasses that stuff?

On Oct 10, 2012, at 4:49 AM, Darran Lofthouse <[hidden email]> wrote:

> Agreed, a prompt would help so a feature request would be welcome.
>
> This will be an interesting contributor task I think as we would need to
> be mapping between the configured policy and appropriate log messages.
>
> Regards,
> Darran Lofthouse.
>
>
> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>> Also, at the very least this should tell you the requirements before you
>> have to go through the trial and error process to figure out what they are.
>>
>> Stuart
>>
>> Jaikiran Pai wrote:
>>> I think it's been a while since I used the add-user script to add
>>> application users. Turns out the password for the new user is now
>>> checked for strength and the rules are a bit annoying [1], at least for
>>> me. As a developer, I just want to test a scenario for EJB invocations.
>>> I tried using "test" as a password and it failed with "too few
>>> characters". Then I tried "test12345" failed again with "your password
>>> should have combination of upper case, lower case, ...". I never have
>>> understood this specific requirement of passwords being forced to be of
>>> certain type (many sites do it). So, would it be possible to somehow
>>> relax this requirement?
>>>
>>> I'm not a security expert, but is this "your password has to have upper
>>> case, lower case, digit, special char" requirement really worth it in a
>>> real application?
>>>
>>>
>>> [1]
>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>>
>>> -Jaikiran
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> [hidden email]
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>> _______________________________________________
>> jboss-as7-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev


_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

John Doyle
+1

I re-image a test Linux box on my desk often, and it warns me when I use a dictionary PW, but it allows me to proceed.

~john

----- Original Message -----

> Maybe we should allow a --force option, which bypasses that stuff?
>
> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
> <[hidden email]> wrote:
>
> > Agreed, a prompt would help so a feature request would be welcome.
> >
> > This will be an interesting contributor task I think as we would
> > need to
> > be mapping between the configured policy and appropriate log
> > messages.
> >
> > Regards,
> > Darran Lofthouse.
> >
> >
> > On 10/10/2012 09:02 AM, Stuart Douglas wrote:
> >> Also, at the very least this should tell you the requirements
> >> before you
> >> have to go through the trial and error process to figure out what
> >> they are.
> >>
> >> Stuart
> >>
> >> Jaikiran Pai wrote:
> >>> I think it's been a while since I used the add-user script to add
> >>> application users. Turns out the password for the new user is now
> >>> checked for strength and the rules are a bit annoying [1], at
> >>> least for
> >>> me. As a developer, I just want to test a scenario for EJB
> >>> invocations.
> >>> I tried using "test" as a password and it failed with "too few
> >>> characters". Then I tried "test12345" failed again with "your
> >>> password
> >>> should have combination of upper case, lower case, ...". I never
> >>> have
> >>> understood this specific requirement of passwords being forced to
> >>> be of
> >>> certain type (many sites do it). So, would it be possible to
> >>> somehow
> >>> relax this requirement?
> >>>
> >>> I'm not a security expert, but is this "your password has to have
> >>> upper
> >>> case, lower case, digit, special char" requirement really worth
> >>> it in a
> >>> real application?
> >>>
> >>>
> >>> [1]
> >>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
> >>>
> >>> -Jaikiran
> >>> _______________________________________________
> >>> jboss-as7-dev mailing list
> >>> [hidden email]
> >>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >> _______________________________________________
> >> jboss-as7-dev mailing list
> >> [hidden email]
> >> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>
> > _______________________________________________
> > jboss-as7-dev mailing list
> > [hidden email]
> > https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
>
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Brian Stansberry
In reply to this post by jtgreene
+1

I don't want to use any of my regular secure passwords for this kind of
"experimenting" or "demoing" usage; I want to only use them for places
where I'm really protecting something. And I already have enough
passwords; I don't feel like remembering a throwaway password that meets
these requirements. If I were a user I'd find having to do that with no
way around it really annoying.

On 10/10/12 8:46 AM, Jason Greene wrote:

> Maybe we should allow a --force option, which bypasses that stuff?
>
> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse <[hidden email]> wrote:
>
>> Agreed, a prompt would help so a feature request would be welcome.
>>
>> This will be an interesting contributor task I think as we would need to
>> be mapping between the configured policy and appropriate log messages.
>>
>> Regards,
>> Darran Lofthouse.
>>
>>
>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>>> Also, at the very least this should tell you the requirements before you
>>> have to go through the trial and error process to figure out what they are.
>>>
>>> Stuart
>>>
>>> Jaikiran Pai wrote:
>>>> I think it's been a while since I used the add-user script to add
>>>> application users. Turns out the password for the new user is now
>>>> checked for strength and the rules are a bit annoying [1], at least for
>>>> me. As a developer, I just want to test a scenario for EJB invocations.
>>>> I tried using "test" as a password and it failed with "too few
>>>> characters". Then I tried "test12345" failed again with "your password
>>>> should have combination of upper case, lower case, ...". I never have
>>>> understood this specific requirement of passwords being forced to be of
>>>> certain type (many sites do it). So, would it be possible to somehow
>>>> relax this requirement?
>>>>
>>>> I'm not a security expert, but is this "your password has to have upper
>>>> case, lower case, digit, special char" requirement really worth it in a
>>>> real application?
>>>>
>>>>
>>>> [1]
>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>>>
>>>> -Jaikiran
>>>> _______________________________________________
>>>> jboss-as7-dev mailing list
>>>> [hidden email]
>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> [hidden email]
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>
>> _______________________________________________
>> jboss-as7-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
>
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>


--
Brian Stansberry
Principal Software Engineer
JBoss by Red Hat
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Andrig Miller
In reply to this post by jtgreene
We might run afoul of PCI and SOX requirements for customers with that kind of option.

Personally, I think just having some text that says the password requirements when you create a user, to make it more usable is what we should do, and not relax the requirements.

Andy

----- Original Message -----

> From: "Jason Greene" <[hidden email]>
> To: "Darran Lofthouse" <[hidden email]>
> Cc: [hidden email]
> Sent: Wednesday, October 10, 2012 7:46:54 AM
> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>
> Maybe we should allow a --force option, which bypasses that stuff?
>
> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
> <[hidden email]> wrote:
>
> > Agreed, a prompt would help so a feature request would be welcome.
> >
> > This will be an interesting contributor task I think as we would
> > need to
> > be mapping between the configured policy and appropriate log
> > messages.
> >
> > Regards,
> > Darran Lofthouse.
> >
> >
> > On 10/10/2012 09:02 AM, Stuart Douglas wrote:
> >> Also, at the very least this should tell you the requirements
> >> before you
> >> have to go through the trial and error process to figure out what
> >> they are.
> >>
> >> Stuart
> >>
> >> Jaikiran Pai wrote:
> >>> I think it's been a while since I used the add-user script to add
> >>> application users. Turns out the password for the new user is now
> >>> checked for strength and the rules are a bit annoying [1], at
> >>> least for
> >>> me. As a developer, I just want to test a scenario for EJB
> >>> invocations.
> >>> I tried using "test" as a password and it failed with "too few
> >>> characters". Then I tried "test12345" failed again with "your
> >>> password
> >>> should have combination of upper case, lower case, ...". I never
> >>> have
> >>> understood this specific requirement of passwords being forced to
> >>> be of
> >>> certain type (many sites do it). So, would it be possible to
> >>> somehow
> >>> relax this requirement?
> >>>
> >>> I'm not a security expert, but is this "your password has to have
> >>> upper
> >>> case, lower case, digit, special char" requirement really worth
> >>> it in a
> >>> real application?
> >>>
> >>>
> >>> [1]
> >>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
> >>>
> >>> -Jaikiran
> >>> _______________________________________________
> >>> jboss-as7-dev mailing list
> >>> [hidden email]
> >>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >> _______________________________________________
> >> jboss-as7-dev mailing list
> >> [hidden email]
> >> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>
> > _______________________________________________
> > jboss-as7-dev mailing list
> > [hidden email]
> > https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
>
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Brian Stansberry
Interesting. This enforcing of password rules is new in AS master; AFAIK
we've never had this kind of thing before.

On 10/10/12 12:19 PM, Andrig Miller wrote:

> We might run afoul of PCI and SOX requirements for customers with that kind of option.
>
> Personally, I think just having some text that says the password requirements when you create a user, to make it more usable is what we should do, and not relax the requirements.
>
> Andy
>
> ----- Original Message -----
>> From: "Jason Greene" <[hidden email]>
>> To: "Darran Lofthouse" <[hidden email]>
>> Cc: [hidden email]
>> Sent: Wednesday, October 10, 2012 7:46:54 AM
>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>>
>> Maybe we should allow a --force option, which bypasses that stuff?
>>
>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
>> <[hidden email]> wrote:
>>
>>> Agreed, a prompt would help so a feature request would be welcome.
>>>
>>> This will be an interesting contributor task I think as we would
>>> need to
>>> be mapping between the configured policy and appropriate log
>>> messages.
>>>
>>> Regards,
>>> Darran Lofthouse.
>>>
>>>
>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>>>> Also, at the very least this should tell you the requirements
>>>> before you
>>>> have to go through the trial and error process to figure out what
>>>> they are.
>>>>
>>>> Stuart
>>>>
>>>> Jaikiran Pai wrote:
>>>>> I think it's been a while since I used the add-user script to add
>>>>> application users. Turns out the password for the new user is now
>>>>> checked for strength and the rules are a bit annoying [1], at
>>>>> least for
>>>>> me. As a developer, I just want to test a scenario for EJB
>>>>> invocations.
>>>>> I tried using "test" as a password and it failed with "too few
>>>>> characters". Then I tried "test12345" failed again with "your
>>>>> password
>>>>> should have combination of upper case, lower case, ...". I never
>>>>> have
>>>>> understood this specific requirement of passwords being forced to
>>>>> be of
>>>>> certain type (many sites do it). So, would it be possible to
>>>>> somehow
>>>>> relax this requirement?
>>>>>
>>>>> I'm not a security expert, but is this "your password has to have
>>>>> upper
>>>>> case, lower case, digit, special char" requirement really worth
>>>>> it in a
>>>>> real application?
>>>>>
>>>>>
>>>>> [1]
>>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>>>>
>>>>> -Jaikiran
>>>>> _______________________________________________
>>>>> jboss-as7-dev mailing list
>>>>> [hidden email]
>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>> _______________________________________________
>>>> jboss-as7-dev mailing list
>>>> [hidden email]
>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> [hidden email]
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
>>
>> _______________________________________________
>> jboss-as7-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>


--
Brian Stansberry
Principal Software Engineer
JBoss by Red Hat
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Anil Saldhana
The challenge is that an user may just copy the properties file from his
desktop to a production instance. So if the password is not strong at
the local developer desktop instance, there may be a situation where the
production console is running against a weak password.

On 10/10/2012 12:45 PM, Brian Stansberry wrote:

> Interesting. This enforcing of password rules is new in AS master; AFAIK
> we've never had this kind of thing before.
>
> On 10/10/12 12:19 PM, Andrig Miller wrote:
>> We might run afoul of PCI and SOX requirements for customers with that kind of option.
>>
>> Personally, I think just having some text that says the password requirements when you create a user, to make it more usable is what we should do, and not relax the requirements.
>>
>> Andy
>>
>> ----- Original Message -----
>>> From: "Jason Greene" <[hidden email]>
>>> To: "Darran Lofthouse" <[hidden email]>
>>> Cc: [hidden email]
>>> Sent: Wednesday, October 10, 2012 7:46:54 AM
>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>>>
>>> Maybe we should allow a --force option, which bypasses that stuff?
>>>
>>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
>>> <[hidden email]> wrote:
>>>
>>>> Agreed, a prompt would help so a feature request would be welcome.
>>>>
>>>> This will be an interesting contributor task I think as we would
>>>> need to
>>>> be mapping between the configured policy and appropriate log
>>>> messages.
>>>>
>>>> Regards,
>>>> Darran Lofthouse.
>>>>
>>>>
>>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>>>>> Also, at the very least this should tell you the requirements
>>>>> before you
>>>>> have to go through the trial and error process to figure out what
>>>>> they are.
>>>>>
>>>>> Stuart
>>>>>
>>>>> Jaikiran Pai wrote:
>>>>>> I think it's been a while since I used the add-user script to add
>>>>>> application users. Turns out the password for the new user is now
>>>>>> checked for strength and the rules are a bit annoying [1], at
>>>>>> least for
>>>>>> me. As a developer, I just want to test a scenario for EJB
>>>>>> invocations.
>>>>>> I tried using "test" as a password and it failed with "too few
>>>>>> characters". Then I tried "test12345" failed again with "your
>>>>>> password
>>>>>> should have combination of upper case, lower case, ...". I never
>>>>>> have
>>>>>> understood this specific requirement of passwords being forced to
>>>>>> be of
>>>>>> certain type (many sites do it). So, would it be possible to
>>>>>> somehow
>>>>>> relax this requirement?
>>>>>>
>>>>>> I'm not a security expert, but is this "your password has to have
>>>>>> upper
>>>>>> case, lower case, digit, special char" requirement really worth
>>>>>> it in a
>>>>>> real application?
>>>>>>
>>>>>>
>>>>>> [1]
>>>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>>>>>
>>>>>> -Jaikiran
>>>>>> ___________________________
>

_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

jtgreene
Administrator
In reply to this post by Brian Stansberry
As someone mentioned earlier RHEL lets you set a bad password (if you agree to it). Is there a special compliance distro of RHEL?
On Oct 10, 2012, at 12:45 PM, Brian Stansberry <[hidden email]> wrote:

> Interesting. This enforcing of password rules is new in AS master; AFAIK
> we've never had this kind of thing before.
>
> On 10/10/12 12:19 PM, Andrig Miller wrote:
>> We might run afoul of PCI and SOX requirements for customers with that kind of option.
>>
>> Personally, I think just having some text that says the password requirements when you create a user, to make it more usable is what we should do, and not relax the requirements.
>>
>> Andy
>>
>> ----- Original Message -----
>>> From: "Jason Greene" <[hidden email]>
>>> To: "Darran Lofthouse" <[hidden email]>
>>> Cc: [hidden email]
>>> Sent: Wednesday, October 10, 2012 7:46:54 AM
>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>>>
>>> Maybe we should allow a --force option, which bypasses that stuff?
>>>
>>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
>>> <[hidden email]> wrote:
>>>
>>>> Agreed, a prompt would help so a feature request would be welcome.
>>>>
>>>> This will be an interesting contributor task I think as we would
>>>> need to
>>>> be mapping between the configured policy and appropriate log
>>>> messages.
>>>>
>>>> Regards,
>>>> Darran Lofthouse.
>>>>
>>>>
>>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>>>>> Also, at the very least this should tell you the requirements
>>>>> before you
>>>>> have to go through the trial and error process to figure out what
>>>>> they are.
>>>>>
>>>>> Stuart
>>>>>
>>>>> Jaikiran Pai wrote:
>>>>>> I think it's been a while since I used the add-user script to add
>>>>>> application users. Turns out the password for the new user is now
>>>>>> checked for strength and the rules are a bit annoying [1], at
>>>>>> least for
>>>>>> me. As a developer, I just want to test a scenario for EJB
>>>>>> invocations.
>>>>>> I tried using "test" as a password and it failed with "too few
>>>>>> characters". Then I tried "test12345" failed again with "your
>>>>>> password
>>>>>> should have combination of upper case, lower case, ...". I never
>>>>>> have
>>>>>> understood this specific requirement of passwords being forced to
>>>>>> be of
>>>>>> certain type (many sites do it). So, would it be possible to
>>>>>> somehow
>>>>>> relax this requirement?
>>>>>>
>>>>>> I'm not a security expert, but is this "your password has to have
>>>>>> upper
>>>>>> case, lower case, digit, special char" requirement really worth
>>>>>> it in a
>>>>>> real application?
>>>>>>
>>>>>>
>>>>>> [1]
>>>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>>>>>
>>>>>> -Jaikiran
>>>>>> _______________________________________________
>>>>>> jboss-as7-dev mailing list
>>>>>> [hidden email]
>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>> _______________________________________________
>>>>> jboss-as7-dev mailing list
>>>>> [hidden email]
>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>
>>>> _______________________________________________
>>>> jboss-as7-dev mailing list
>>>> [hidden email]
>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>
>>>
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> [hidden email]
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>
>> _______________________________________________
>> jboss-as7-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
>
>
> --
> Brian Stansberry
> Principal Software Engineer
> JBoss by Red Hat
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev


_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Andrig Miller
In reply to this post by Brian Stansberry
Yes, but having done PCI compliance with JBoss in the past, you have to provide process based workarounds for the missing things, or deficiencies in the platform.  With the platform actually having this, it will make compliance easier for customers to attain.

Andy

----- Original Message -----

> From: "Brian Stansberry" <[hidden email]>
> To: [hidden email]
> Sent: Wednesday, October 10, 2012 11:45:39 AM
> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>
> Interesting. This enforcing of password rules is new in AS master;
> AFAIK
> we've never had this kind of thing before.
>
> On 10/10/12 12:19 PM, Andrig Miller wrote:
> > We might run afoul of PCI and SOX requirements for customers with
> > that kind of option.
> >
> > Personally, I think just having some text that says the password
> > requirements when you create a user, to make it more usable is
> > what we should do, and not relax the requirements.
> >
> > Andy
> >
> > ----- Original Message -----
> >> From: "Jason Greene" <[hidden email]>
> >> To: "Darran Lofthouse" <[hidden email]>
> >> Cc: [hidden email]
> >> Sent: Wednesday, October 10, 2012 7:46:54 AM
> >> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
> >> add-user script?
> >>
> >> Maybe we should allow a --force option, which bypasses that stuff?
> >>
> >> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
> >> <[hidden email]> wrote:
> >>
> >>> Agreed, a prompt would help so a feature request would be
> >>> welcome.
> >>>
> >>> This will be an interesting contributor task I think as we would
> >>> need to
> >>> be mapping between the configured policy and appropriate log
> >>> messages.
> >>>
> >>> Regards,
> >>> Darran Lofthouse.
> >>>
> >>>
> >>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
> >>>> Also, at the very least this should tell you the requirements
> >>>> before you
> >>>> have to go through the trial and error process to figure out
> >>>> what
> >>>> they are.
> >>>>
> >>>> Stuart
> >>>>
> >>>> Jaikiran Pai wrote:
> >>>>> I think it's been a while since I used the add-user script to
> >>>>> add
> >>>>> application users. Turns out the password for the new user is
> >>>>> now
> >>>>> checked for strength and the rules are a bit annoying [1], at
> >>>>> least for
> >>>>> me. As a developer, I just want to test a scenario for EJB
> >>>>> invocations.
> >>>>> I tried using "test" as a password and it failed with "too few
> >>>>> characters". Then I tried "test12345" failed again with "your
> >>>>> password
> >>>>> should have combination of upper case, lower case, ...". I
> >>>>> never
> >>>>> have
> >>>>> understood this specific requirement of passwords being forced
> >>>>> to
> >>>>> be of
> >>>>> certain type (many sites do it). So, would it be possible to
> >>>>> somehow
> >>>>> relax this requirement?
> >>>>>
> >>>>> I'm not a security expert, but is this "your password has to
> >>>>> have
> >>>>> upper
> >>>>> case, lower case, digit, special char" requirement really worth
> >>>>> it in a
> >>>>> real application?
> >>>>>
> >>>>>
> >>>>> [1]
> >>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
> >>>>>
> >>>>> -Jaikiran
> >>>>> _______________________________________________
> >>>>> jboss-as7-dev mailing list
> >>>>> [hidden email]
> >>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>> _______________________________________________
> >>>> jboss-as7-dev mailing list
> >>>> [hidden email]
> >>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>
> >>> _______________________________________________
> >>> jboss-as7-dev mailing list
> >>> [hidden email]
> >>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>
> >>
> >> _______________________________________________
> >> jboss-as7-dev mailing list
> >> [hidden email]
> >> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>
> > _______________________________________________
> > jboss-as7-dev mailing list
> > [hidden email]
> > https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >
>
>
> --
> Brian Stansberry
> Principal Software Engineer
> JBoss by Red Hat
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Andrig Miller
In reply to this post by jtgreene
Not to my knowledge.  My point, is whenever you give have these allowances, you make the customer have to prove to the auditors that you are not using them.

Auditors love these kinds of things, because it gives them something to poke into.  More billable hours ;-)

Andy

----- Original Message -----

> From: "Jason Greene" <[hidden email]>
> To: "Brian Stansberry" <[hidden email]>
> Cc: [hidden email]
> Sent: Wednesday, October 10, 2012 1:22:32 PM
> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>
> As someone mentioned earlier RHEL lets you set a bad password (if you
> agree to it). Is there a special compliance distro of RHEL?
> On Oct 10, 2012, at 12:45 PM, Brian Stansberry
> <[hidden email]> wrote:
>
> > Interesting. This enforcing of password rules is new in AS master;
> > AFAIK
> > we've never had this kind of thing before.
> >
> > On 10/10/12 12:19 PM, Andrig Miller wrote:
> >> We might run afoul of PCI and SOX requirements for customers with
> >> that kind of option.
> >>
> >> Personally, I think just having some text that says the password
> >> requirements when you create a user, to make it more usable is
> >> what we should do, and not relax the requirements.
> >>
> >> Andy
> >>
> >> ----- Original Message -----
> >>> From: "Jason Greene" <[hidden email]>
> >>> To: "Darran Lofthouse" <[hidden email]>
> >>> Cc: [hidden email]
> >>> Sent: Wednesday, October 10, 2012 7:46:54 AM
> >>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
> >>> add-user script?
> >>>
> >>> Maybe we should allow a --force option, which bypasses that
> >>> stuff?
> >>>
> >>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
> >>> <[hidden email]> wrote:
> >>>
> >>>> Agreed, a prompt would help so a feature request would be
> >>>> welcome.
> >>>>
> >>>> This will be an interesting contributor task I think as we would
> >>>> need to
> >>>> be mapping between the configured policy and appropriate log
> >>>> messages.
> >>>>
> >>>> Regards,
> >>>> Darran Lofthouse.
> >>>>
> >>>>
> >>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
> >>>>> Also, at the very least this should tell you the requirements
> >>>>> before you
> >>>>> have to go through the trial and error process to figure out
> >>>>> what
> >>>>> they are.
> >>>>>
> >>>>> Stuart
> >>>>>
> >>>>> Jaikiran Pai wrote:
> >>>>>> I think it's been a while since I used the add-user script to
> >>>>>> add
> >>>>>> application users. Turns out the password for the new user is
> >>>>>> now
> >>>>>> checked for strength and the rules are a bit annoying [1], at
> >>>>>> least for
> >>>>>> me. As a developer, I just want to test a scenario for EJB
> >>>>>> invocations.
> >>>>>> I tried using "test" as a password and it failed with "too few
> >>>>>> characters". Then I tried "test12345" failed again with "your
> >>>>>> password
> >>>>>> should have combination of upper case, lower case, ...". I
> >>>>>> never
> >>>>>> have
> >>>>>> understood this specific requirement of passwords being forced
> >>>>>> to
> >>>>>> be of
> >>>>>> certain type (many sites do it). So, would it be possible to
> >>>>>> somehow
> >>>>>> relax this requirement?
> >>>>>>
> >>>>>> I'm not a security expert, but is this "your password has to
> >>>>>> have
> >>>>>> upper
> >>>>>> case, lower case, digit, special char" requirement really
> >>>>>> worth
> >>>>>> it in a
> >>>>>> real application?
> >>>>>>
> >>>>>>
> >>>>>> [1]
> >>>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
> >>>>>>
> >>>>>> -Jaikiran
> >>>>>> _______________________________________________
> >>>>>> jboss-as7-dev mailing list
> >>>>>> [hidden email]
> >>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>> _______________________________________________
> >>>>> jboss-as7-dev mailing list
> >>>>> [hidden email]
> >>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>>
> >>>> _______________________________________________
> >>>> jboss-as7-dev mailing list
> >>>> [hidden email]
> >>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>
> >>>
> >>> _______________________________________________
> >>> jboss-as7-dev mailing list
> >>> [hidden email]
> >>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>
> >> _______________________________________________
> >> jboss-as7-dev mailing list
> >> [hidden email]
> >> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>
> >
> >
> > --
> > Brian Stansberry
> > Principal Software Engineer
> > JBoss by Red Hat
> > _______________________________________________
> > jboss-as7-dev mailing list
> > [hidden email]
> > https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
>
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

jtgreene
Administrator
Ah I see

On Oct 10, 2012, at 2:29 PM, Andrig Miller <[hidden email]> wrote:

> Not to my knowledge.  My point, is whenever you give have these allowances, you make the customer have to prove to the auditors that you are not using them.
>
> Auditors love these kinds of things, because it gives them something to poke into.  More billable hours ;-)
>
> Andy
>
> ----- Original Message -----
>> From: "Jason Greene" <[hidden email]>
>> To: "Brian Stansberry" <[hidden email]>
>> Cc: [hidden email]
>> Sent: Wednesday, October 10, 2012 1:22:32 PM
>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>>
>> As someone mentioned earlier RHEL lets you set a bad password (if you
>> agree to it). Is there a special compliance distro of RHEL?
>> On Oct 10, 2012, at 12:45 PM, Brian Stansberry
>> <[hidden email]> wrote:
>>
>>> Interesting. This enforcing of password rules is new in AS master;
>>> AFAIK
>>> we've never had this kind of thing before.
>>>
>>> On 10/10/12 12:19 PM, Andrig Miller wrote:
>>>> We might run afoul of PCI and SOX requirements for customers with
>>>> that kind of option.
>>>>
>>>> Personally, I think just having some text that says the password
>>>> requirements when you create a user, to make it more usable is
>>>> what we should do, and not relax the requirements.
>>>>
>>>> Andy
>>>>
>>>> ----- Original Message -----
>>>>> From: "Jason Greene" <[hidden email]>
>>>>> To: "Darran Lofthouse" <[hidden email]>
>>>>> Cc: [hidden email]
>>>>> Sent: Wednesday, October 10, 2012 7:46:54 AM
>>>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
>>>>> add-user script?
>>>>>
>>>>> Maybe we should allow a --force option, which bypasses that
>>>>> stuff?
>>>>>
>>>>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
>>>>> <[hidden email]> wrote:
>>>>>
>>>>>> Agreed, a prompt would help so a feature request would be
>>>>>> welcome.
>>>>>>
>>>>>> This will be an interesting contributor task I think as we would
>>>>>> need to
>>>>>> be mapping between the configured policy and appropriate log
>>>>>> messages.
>>>>>>
>>>>>> Regards,
>>>>>> Darran Lofthouse.
>>>>>>
>>>>>>
>>>>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>>>>>>> Also, at the very least this should tell you the requirements
>>>>>>> before you
>>>>>>> have to go through the trial and error process to figure out
>>>>>>> what
>>>>>>> they are.
>>>>>>>
>>>>>>> Stuart
>>>>>>>
>>>>>>> Jaikiran Pai wrote:
>>>>>>>> I think it's been a while since I used the add-user script to
>>>>>>>> add
>>>>>>>> application users. Turns out the password for the new user is
>>>>>>>> now
>>>>>>>> checked for strength and the rules are a bit annoying [1], at
>>>>>>>> least for
>>>>>>>> me. As a developer, I just want to test a scenario for EJB
>>>>>>>> invocations.
>>>>>>>> I tried using "test" as a password and it failed with "too few
>>>>>>>> characters". Then I tried "test12345" failed again with "your
>>>>>>>> password
>>>>>>>> should have combination of upper case, lower case, ...". I
>>>>>>>> never
>>>>>>>> have
>>>>>>>> understood this specific requirement of passwords being forced
>>>>>>>> to
>>>>>>>> be of
>>>>>>>> certain type (many sites do it). So, would it be possible to
>>>>>>>> somehow
>>>>>>>> relax this requirement?
>>>>>>>>
>>>>>>>> I'm not a security expert, but is this "your password has to
>>>>>>>> have
>>>>>>>> upper
>>>>>>>> case, lower case, digit, special char" requirement really
>>>>>>>> worth
>>>>>>>> it in a
>>>>>>>> real application?
>>>>>>>>
>>>>>>>>
>>>>>>>> [1]
>>>>>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>>>>>>>
>>>>>>>> -Jaikiran
>>>>>>>> _______________________________________________
>>>>>>>> jboss-as7-dev mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>> _______________________________________________
>>>>>>> jboss-as7-dev mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>
>>>>>> _______________________________________________
>>>>>> jboss-as7-dev mailing list
>>>>>> [hidden email]
>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> jboss-as7-dev mailing list
>>>>> [hidden email]
>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>
>>>> _______________________________________________
>>>> jboss-as7-dev mailing list
>>>> [hidden email]
>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>
>>>
>>>
>>> --
>>> Brian Stansberry
>>> Principal Software Engineer
>>> JBoss by Red Hat
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> [hidden email]
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
>>
>> _______________________________________________
>> jboss-as7-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>


_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Darran Lofthouse
In reply to this post by Andrig Miller
Hi Andy,

It may be missing at the moment but this complexity check was supposed
to have a modifiable policy file that the administrator could update to
specify the rules they really want.  How would any auditors consider that?

To me the modifying of a policy to weaken it is a deliberate act by an
administrator, that same administrator also has the capability to
reconfigure the server to use BASIC authentication or store the
passwords in plain text instead of pre-hashed.

However the --force option does feel too easy for someone to use and
then forget they forced through a weak password just to get their
production server online.

Regards,
Darran Lofthouse.


On 10/10/2012 08:29 PM, Andrig Miller wrote:

> Not to my knowledge.  My point, is whenever you give have these allowances, you make the customer have to prove to the auditors that you are not using them.
>
> Auditors love these kinds of things, because it gives them something to poke into.  More billable hours ;-)
>
> Andy
>
> ----- Original Message -----
>> From: "Jason Greene" <[hidden email]>
>> To: "Brian Stansberry" <[hidden email]>
>> Cc: [hidden email]
>> Sent: Wednesday, October 10, 2012 1:22:32 PM
>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>>
>> As someone mentioned earlier RHEL lets you set a bad password (if you
>> agree to it). Is there a special compliance distro of RHEL?
>> On Oct 10, 2012, at 12:45 PM, Brian Stansberry
>> <[hidden email]> wrote:
>>
>>> Interesting. This enforcing of password rules is new in AS master;
>>> AFAIK
>>> we've never had this kind of thing before.
>>>
>>> On 10/10/12 12:19 PM, Andrig Miller wrote:
>>>> We might run afoul of PCI and SOX requirements for customers with
>>>> that kind of option.
>>>>
>>>> Personally, I think just having some text that says the password
>>>> requirements when you create a user, to make it more usable is
>>>> what we should do, and not relax the requirements.
>>>>
>>>> Andy
>>>>
>>>> ----- Original Message -----
>>>>> From: "Jason Greene" <[hidden email]>
>>>>> To: "Darran Lofthouse" <[hidden email]>
>>>>> Cc: [hidden email]
>>>>> Sent: Wednesday, October 10, 2012 7:46:54 AM
>>>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
>>>>> add-user script?
>>>>>
>>>>> Maybe we should allow a --force option, which bypasses that
>>>>> stuff?
>>>>>
>>>>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
>>>>> <[hidden email]> wrote:
>>>>>
>>>>>> Agreed, a prompt would help so a feature request would be
>>>>>> welcome.
>>>>>>
>>>>>> This will be an interesting contributor task I think as we would
>>>>>> need to
>>>>>> be mapping between the configured policy and appropriate log
>>>>>> messages.
>>>>>>
>>>>>> Regards,
>>>>>> Darran Lofthouse.
>>>>>>
>>>>>>
>>>>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>>>>>>> Also, at the very least this should tell you the requirements
>>>>>>> before you
>>>>>>> have to go through the trial and error process to figure out
>>>>>>> what
>>>>>>> they are.
>>>>>>>
>>>>>>> Stuart
>>>>>>>
>>>>>>> Jaikiran Pai wrote:
>>>>>>>> I think it's been a while since I used the add-user script to
>>>>>>>> add
>>>>>>>> application users. Turns out the password for the new user is
>>>>>>>> now
>>>>>>>> checked for strength and the rules are a bit annoying [1], at
>>>>>>>> least for
>>>>>>>> me. As a developer, I just want to test a scenario for EJB
>>>>>>>> invocations.
>>>>>>>> I tried using "test" as a password and it failed with "too few
>>>>>>>> characters". Then I tried "test12345" failed again with "your
>>>>>>>> password
>>>>>>>> should have combination of upper case, lower case, ...". I
>>>>>>>> never
>>>>>>>> have
>>>>>>>> understood this specific requirement of passwords being forced
>>>>>>>> to
>>>>>>>> be of
>>>>>>>> certain type (many sites do it). So, would it be possible to
>>>>>>>> somehow
>>>>>>>> relax this requirement?
>>>>>>>>
>>>>>>>> I'm not a security expert, but is this "your password has to
>>>>>>>> have
>>>>>>>> upper
>>>>>>>> case, lower case, digit, special char" requirement really
>>>>>>>> worth
>>>>>>>> it in a
>>>>>>>> real application?
>>>>>>>>
>>>>>>>>
>>>>>>>> [1]
>>>>>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>>>>>>>
>>>>>>>> -Jaikiran
>>>>>>>> _______________________________________________
>>>>>>>> jboss-as7-dev mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>> _______________________________________________
>>>>>>> jboss-as7-dev mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>
>>>>>> _______________________________________________
>>>>>> jboss-as7-dev mailing list
>>>>>> [hidden email]
>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> jboss-as7-dev mailing list
>>>>> [hidden email]
>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>
>>>> _______________________________________________
>>>> jboss-as7-dev mailing list
>>>> [hidden email]
>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>
>>>
>>>
>>> --
>>> Brian Stansberry
>>> Principal Software Engineer
>>> JBoss by Red Hat
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> [hidden email]
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
>>
>> _______________________________________________
>> jboss-as7-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Andrig Miller


----- Original Message -----

> From: "Darran Lofthouse" <[hidden email]>
> To: "Andrig Miller" <[hidden email]>
> Cc: "Jason Greene" <[hidden email]>, [hidden email]
> Sent: Thursday, October 11, 2012 3:01:57 AM
> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>
> Hi Andy,
>
> It may be missing at the moment but this complexity check was
> supposed
> to have a modifiable policy file that the administrator could update
> to
> specify the rules they really want.  How would any auditors consider
> that?
>

That, in my opinion, would be fine.  The only issue would be how you protect that policy file from be tampered with, but this is true of all configuration.

> To me the modifying of a policy to weaken it is a deliberate act by
> an
> administrator, that same administrator also has the capability to
> reconfigure the server to use BASIC authentication or store the
> passwords in plain text instead of pre-hashed.
>
> However the --force option does feel too easy for someone to use and
> then forget they forced through a weak password just to get their
> production server online.
>

Agreed.

Andy

> Regards,
> Darran Lofthouse.
>
>
> On 10/10/2012 08:29 PM, Andrig Miller wrote:
> > Not to my knowledge.  My point, is whenever you give have these
> > allowances, you make the customer have to prove to the auditors
> > that you are not using them.
> >
> > Auditors love these kinds of things, because it gives them
> > something to poke into.  More billable hours ;-)
> >
> > Andy
> >
> > ----- Original Message -----
> >> From: "Jason Greene" <[hidden email]>
> >> To: "Brian Stansberry" <[hidden email]>
> >> Cc: [hidden email]
> >> Sent: Wednesday, October 10, 2012 1:22:32 PM
> >> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
> >> add-user script?
> >>
> >> As someone mentioned earlier RHEL lets you set a bad password (if
> >> you
> >> agree to it). Is there a special compliance distro of RHEL?
> >> On Oct 10, 2012, at 12:45 PM, Brian Stansberry
> >> <[hidden email]> wrote:
> >>
> >>> Interesting. This enforcing of password rules is new in AS
> >>> master;
> >>> AFAIK
> >>> we've never had this kind of thing before.
> >>>
> >>> On 10/10/12 12:19 PM, Andrig Miller wrote:
> >>>> We might run afoul of PCI and SOX requirements for customers
> >>>> with
> >>>> that kind of option.
> >>>>
> >>>> Personally, I think just having some text that says the password
> >>>> requirements when you create a user, to make it more usable is
> >>>> what we should do, and not relax the requirements.
> >>>>
> >>>> Andy
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Jason Greene" <[hidden email]>
> >>>>> To: "Darran Lofthouse" <[hidden email]>
> >>>>> Cc: [hidden email]
> >>>>> Sent: Wednesday, October 10, 2012 7:46:54 AM
> >>>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
> >>>>> add-user script?
> >>>>>
> >>>>> Maybe we should allow a --force option, which bypasses that
> >>>>> stuff?
> >>>>>
> >>>>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
> >>>>> <[hidden email]> wrote:
> >>>>>
> >>>>>> Agreed, a prompt would help so a feature request would be
> >>>>>> welcome.
> >>>>>>
> >>>>>> This will be an interesting contributor task I think as we
> >>>>>> would
> >>>>>> need to
> >>>>>> be mapping between the configured policy and appropriate log
> >>>>>> messages.
> >>>>>>
> >>>>>> Regards,
> >>>>>> Darran Lofthouse.
> >>>>>>
> >>>>>>
> >>>>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
> >>>>>>> Also, at the very least this should tell you the requirements
> >>>>>>> before you
> >>>>>>> have to go through the trial and error process to figure out
> >>>>>>> what
> >>>>>>> they are.
> >>>>>>>
> >>>>>>> Stuart
> >>>>>>>
> >>>>>>> Jaikiran Pai wrote:
> >>>>>>>> I think it's been a while since I used the add-user script
> >>>>>>>> to
> >>>>>>>> add
> >>>>>>>> application users. Turns out the password for the new user
> >>>>>>>> is
> >>>>>>>> now
> >>>>>>>> checked for strength and the rules are a bit annoying [1],
> >>>>>>>> at
> >>>>>>>> least for
> >>>>>>>> me. As a developer, I just want to test a scenario for EJB
> >>>>>>>> invocations.
> >>>>>>>> I tried using "test" as a password and it failed with "too
> >>>>>>>> few
> >>>>>>>> characters". Then I tried "test12345" failed again with
> >>>>>>>> "your
> >>>>>>>> password
> >>>>>>>> should have combination of upper case, lower case, ...". I
> >>>>>>>> never
> >>>>>>>> have
> >>>>>>>> understood this specific requirement of passwords being
> >>>>>>>> forced
> >>>>>>>> to
> >>>>>>>> be of
> >>>>>>>> certain type (many sites do it). So, would it be possible to
> >>>>>>>> somehow
> >>>>>>>> relax this requirement?
> >>>>>>>>
> >>>>>>>> I'm not a security expert, but is this "your password has to
> >>>>>>>> have
> >>>>>>>> upper
> >>>>>>>> case, lower case, digit, special char" requirement really
> >>>>>>>> worth
> >>>>>>>> it in a
> >>>>>>>> real application?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> [1]
> >>>>>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
> >>>>>>>>
> >>>>>>>> -Jaikiran
> >>>>>>>> _______________________________________________
> >>>>>>>> jboss-as7-dev mailing list
> >>>>>>>> [hidden email]
> >>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>>>> _______________________________________________
> >>>>>>> jboss-as7-dev mailing list
> >>>>>>> [hidden email]
> >>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>>>>
> >>>>>> _______________________________________________
> >>>>>> jboss-as7-dev mailing list
> >>>>>> [hidden email]
> >>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> jboss-as7-dev mailing list
> >>>>> [hidden email]
> >>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>>
> >>>> _______________________________________________
> >>>> jboss-as7-dev mailing list
> >>>> [hidden email]
> >>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>>>
> >>>
> >>>
> >>> --
> >>> Brian Stansberry
> >>> Principal Software Engineer
> >>> JBoss by Red Hat
> >>> _______________________________________________
> >>> jboss-as7-dev mailing list
> >>> [hidden email]
> >>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>
> >>
> >> _______________________________________________
> >> jboss-as7-dev mailing list
> >> [hidden email]
> >> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >>
> > _______________________________________________
> > jboss-as7-dev mailing list
> > [hidden email]
> > https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> >
>
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Anil Saldhana
Darran,
   I have been thinking about the properties file strategy.  I support
your thinking. But I want to put forward some thoughts:

 From the LinkedIn password fiasco, the general industry philosophy is
that passwords that are just hashed are prone to dictionary/brute force
attacks, irrespective of how strong the password is. There is a
necessity to introduce a salt per password.
Introduction of a salt per password is just going to make the usability
aspects challenging with the properties file strategy.

We should consider the PicketLink IDM work for storing passwords. The
password management becomes a responsibility of the IDM framework.
Discussion on this framework is happening in the security-dev mailing list.

Regards,
Anil

On 10/11/2012 09:09 AM, Andrig Miller wrote:

>
> ----- Original Message -----
>> From: "Darran Lofthouse" <[hidden email]>
>> To: "Andrig Miller" <[hidden email]>
>> Cc: "Jason Greene" <[hidden email]>, [hidden email]
>> Sent: Thursday, October 11, 2012 3:01:57 AM
>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>>
>> Hi Andy,
>>
>> It may be missing at the moment but this complexity check was
>> supposed
>> to have a modifiable policy file that the administrator could update
>> to
>> specify the rules they really want.  How would any auditors consider
>> that?
>>
> That, in my opinion, would be fine.  The only issue would be how you protect that policy file from be tampered with, but this is true of all configuration.
>
>> To me the modifying of a policy to weaken it is a deliberate act by
>> an
>> administrator, that same administrator also has the capability to
>> reconfigure the server to use BASIC authentication or store the
>> passwords in plain text instead of pre-hashed.
>>
>> However the --force option does feel too easy for someone to use and
>> then forget they forced through a weak password just to get their
>> production server online.
>>
> Agreed.
>
> Andy
>
>> Regards,
>> Darran Lofthouse.
>>
>>
>> On 10/10/2012 08:29 PM, Andrig Miller wrote:
>>> Not to my knowledge.  My point, is whenever you give have these
>>> allowances, you make the customer have to prove to the auditors
>>> that you are not using them.
>>>
>>> Auditors love these kinds of things, because it gives them
>>> something to poke into.  More billable hours ;-)
>>>
>>> Andy
>>>
>>> ----- Original Message -----
>>>> From: "Jason Greene" <[hidden email]>
>>>> To: "Brian Stansberry" <[hidden email]>
>>>> Cc: [hidden email]
>>>> Sent: Wednesday, October 10, 2012 1:22:32 PM
>>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
>>>> add-user script?
>>>>
>>>> As someone mentioned earlier RHEL lets you set a bad password (if
>>>> you
>>>> agree to it). Is there a special compliance distro of RHEL?
>>>> On Oct 10, 2012, at 12:45 PM, Brian Stansberry
>>>> <[hidden email]> wrote:
>>>>
>>>>> Interesting. This enforcing of password rules is new in AS
>>>>> master;
>>>>> AFAIK
>>>>> we've never had this kind of thing before.
>>>>>
>>>>> On 10/10/12 12:19 PM, Andrig Miller wrote:
>>>>>> We might run afoul of PCI and SOX requirements for customers
>>>>>> with
>>>>>> that kind of option.
>>>>>>
>>>>>> Personally, I think just having some text that says the password
>>>>>> requirements when you create a user, to make it more usable is
>>>>>> what we should do, and not relax the requirements.
>>>>>>
>>>>>> Andy
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Jason Greene" <[hidden email]>
>>>>>>> To: "Darran Lofthouse" <[hidden email]>
>>>>>>> Cc: [hidden email]
>>>>>>> Sent: Wednesday, October 10, 2012 7:46:54 AM
>>>>>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
>>>>>>> add-user script?
>>>>>>>
>>>>>>> Maybe we should allow a --force option, which bypasses that
>>>>>>> stuff?
>>>>>>>
>>>>>>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
>>>>>>> <[hidden email]> wrote:
>>>>>>>
>>>>>>>> Agreed, a prompt would help so a feature request would be
>>>>>>>> welcome.
>>>>>>>>
>>>>>>>> This will be an interesting contributor task I think as we
>>>>>>>> would
>>>>>>>> need to
>>>>>>>> be mapping between the configured policy and appropriate log
>>>>>>>> messages.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Darran Lofthouse.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>>>>>>>>> Also, at the very least this should tell you the requirements
>>>>>>>>> before you
>>>>>>>>> have to go through the trial and error process to figure out
>>>>>>>>> what
>>>>>>>>> they are.
>>>>>>>>>
>>>>>>>>> Stuart
>>>>>>>>>
>>>>>>>>> Jaikiran Pai wrote:
>>>>>>>>>> I think it's been a while since I used the add-user script
>>>>>>>>>> to
>>>>>>>>>> add
>>>>>>>>>> application users. Turns out the password for the new user
>>>>>>>>>> is
>>>>>>>>>> now
>>>>>>>>>> checked for strength and the rules are a bit annoying [1],
>>>>>>>>>> at
>>>>>>>>>> least for
>>>>>>>>>> me. As a developer, I just want to test a scenario for EJB
>>>>>>>>>> invocations.
>>>>>>>>>> I tried using "test" as a password and it failed with "too
>>>>>>>>>> few
>>>>>>>>>> characters". Then I tried "test12345" failed again with
>>>>>>>>>> "your
>>>>>>>>>> password
>>>>>>>>>> should have combination of upper case, lower case, ...". I
>>>>>>>>>> never
>>>>>>>>>> have
>>>>>>>>>> understood this specific requirement of passwords being
>>>>>>>>>> forced
>>>>>>>>>> to
>>>>>>>>>> be of
>>>>>>>>>> certain type (many sites do it). So, would it be possible to
>>>>>>>>>> somehow
>>>>>>>>>> relax this requirement?
>>>>>>>>>>
>>>>>>>>>> I'm not a security expert, but is this "your password has to
>>>>>>>>>> have
>>>>>>>>>> upper
>>>>>>>>>> case, lower case, digit, special char" requirement really
>>>>>>>>>> worth
>>>>>>>>>> it in a
>>>>>>>>>> real application?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [1]
>>>>>>>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>>>>>>>>>
>>>>>>>>>> -Jaikiran
>>>>>>>>>> _______________________________________________
>>>>>>>>>> jboss-as7-dev mailing list
>>>>>>>>>> [hidden email]
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>>> _______________________________________________
>>>>>>>>> jboss-as7-dev mailing list
>>>>>>>>> [hidden email]
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> jboss-as7-dev mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> jboss-as7-dev mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>
>>>>>> _______________________________________________
>>>>>> jboss-as7-dev mailing list
>>>>>> [hidden email]
>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>
>>>>>
>>>>> --
>>>>> Brian Stansberry
>>>>> Principal Software Engineer
>>>>> JBoss by Red Hat
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: Relaxing password requirements for add-user script?

Darran Lofthouse
Hello Anil,

Yes I agree as well.  For AS7/8 we definitely need more of an IDM based
approach for security so not only are we secured by default but it is
fully manageable by default.

 From an out of the box perspective using either the CLI or the Admin
console it should be possible to manage the users accounts including
maximising the security for the storage of the passwords.  However this
does bring with it the need to be lightweight without adding overhead to
the AS processes (for the default configuration at least).

Regards,
Darran Lofthouse.


On 10/15/2012 02:35 PM, Anil Saldhana wrote:

> Darran,
>     I have been thinking about the properties file strategy.  I support
> your thinking. But I want to put forward some thoughts:
>
>   From the LinkedIn password fiasco, the general industry philosophy is
> that passwords that are just hashed are prone to dictionary/brute force
> attacks, irrespective of how strong the password is. There is a
> necessity to introduce a salt per password.
> Introduction of a salt per password is just going to make the usability
> aspects challenging with the properties file strategy.
>
> We should consider the PicketLink IDM work for storing passwords. The
> password management becomes a responsibility of the IDM framework.
> Discussion on this framework is happening in the security-dev mailing list.
>
> Regards,
> Anil
>
> On 10/11/2012 09:09 AM, Andrig Miller wrote:
>>
>> ----- Original Message -----
>>> From: "Darran Lofthouse" <[hidden email]>
>>> To: "Andrig Miller" <[hidden email]>
>>> Cc: "Jason Greene" <[hidden email]>, [hidden email]
>>> Sent: Thursday, October 11, 2012 3:01:57 AM
>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for add-user script?
>>>
>>> Hi Andy,
>>>
>>> It may be missing at the moment but this complexity check was
>>> supposed
>>> to have a modifiable policy file that the administrator could update
>>> to
>>> specify the rules they really want.  How would any auditors consider
>>> that?
>>>
>> That, in my opinion, would be fine.  The only issue would be how you protect that policy file from be tampered with, but this is true of all configuration.
>>
>>> To me the modifying of a policy to weaken it is a deliberate act by
>>> an
>>> administrator, that same administrator also has the capability to
>>> reconfigure the server to use BASIC authentication or store the
>>> passwords in plain text instead of pre-hashed.
>>>
>>> However the --force option does feel too easy for someone to use and
>>> then forget they forced through a weak password just to get their
>>> production server online.
>>>
>> Agreed.
>>
>> Andy
>>
>>> Regards,
>>> Darran Lofthouse.
>>>
>>>
>>> On 10/10/2012 08:29 PM, Andrig Miller wrote:
>>>> Not to my knowledge.  My point, is whenever you give have these
>>>> allowances, you make the customer have to prove to the auditors
>>>> that you are not using them.
>>>>
>>>> Auditors love these kinds of things, because it gives them
>>>> something to poke into.  More billable hours ;-)
>>>>
>>>> Andy
>>>>
>>>> ----- Original Message -----
>>>>> From: "Jason Greene" <[hidden email]>
>>>>> To: "Brian Stansberry" <[hidden email]>
>>>>> Cc: [hidden email]
>>>>> Sent: Wednesday, October 10, 2012 1:22:32 PM
>>>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
>>>>> add-user script?
>>>>>
>>>>> As someone mentioned earlier RHEL lets you set a bad password (if
>>>>> you
>>>>> agree to it). Is there a special compliance distro of RHEL?
>>>>> On Oct 10, 2012, at 12:45 PM, Brian Stansberry
>>>>> <[hidden email]> wrote:
>>>>>
>>>>>> Interesting. This enforcing of password rules is new in AS
>>>>>> master;
>>>>>> AFAIK
>>>>>> we've never had this kind of thing before.
>>>>>>
>>>>>> On 10/10/12 12:19 PM, Andrig Miller wrote:
>>>>>>> We might run afoul of PCI and SOX requirements for customers
>>>>>>> with
>>>>>>> that kind of option.
>>>>>>>
>>>>>>> Personally, I think just having some text that says the password
>>>>>>> requirements when you create a user, to make it more usable is
>>>>>>> what we should do, and not relax the requirements.
>>>>>>>
>>>>>>> Andy
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Jason Greene" <[hidden email]>
>>>>>>>> To: "Darran Lofthouse" <[hidden email]>
>>>>>>>> Cc: [hidden email]
>>>>>>>> Sent: Wednesday, October 10, 2012 7:46:54 AM
>>>>>>>> Subject: Re: [jboss-as7-dev] Relaxing password requirements for
>>>>>>>> add-user script?
>>>>>>>>
>>>>>>>> Maybe we should allow a --force option, which bypasses that
>>>>>>>> stuff?
>>>>>>>>
>>>>>>>> On Oct 10, 2012, at 4:49 AM, Darran Lofthouse
>>>>>>>> <[hidden email]> wrote:
>>>>>>>>
>>>>>>>>> Agreed, a prompt would help so a feature request would be
>>>>>>>>> welcome.
>>>>>>>>>
>>>>>>>>> This will be an interesting contributor task I think as we
>>>>>>>>> would
>>>>>>>>> need to
>>>>>>>>> be mapping between the configured policy and appropriate log
>>>>>>>>> messages.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Darran Lofthouse.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 10/10/2012 09:02 AM, Stuart Douglas wrote:
>>>>>>>>>> Also, at the very least this should tell you the requirements
>>>>>>>>>> before you
>>>>>>>>>> have to go through the trial and error process to figure out
>>>>>>>>>> what
>>>>>>>>>> they are.
>>>>>>>>>>
>>>>>>>>>> Stuart
>>>>>>>>>>
>>>>>>>>>> Jaikiran Pai wrote:
>>>>>>>>>>> I think it's been a while since I used the add-user script
>>>>>>>>>>> to
>>>>>>>>>>> add
>>>>>>>>>>> application users. Turns out the password for the new user
>>>>>>>>>>> is
>>>>>>>>>>> now
>>>>>>>>>>> checked for strength and the rules are a bit annoying [1],
>>>>>>>>>>> at
>>>>>>>>>>> least for
>>>>>>>>>>> me. As a developer, I just want to test a scenario for EJB
>>>>>>>>>>> invocations.
>>>>>>>>>>> I tried using "test" as a password and it failed with "too
>>>>>>>>>>> few
>>>>>>>>>>> characters". Then I tried "test12345" failed again with
>>>>>>>>>>> "your
>>>>>>>>>>> password
>>>>>>>>>>> should have combination of upper case, lower case, ...". I
>>>>>>>>>>> never
>>>>>>>>>>> have
>>>>>>>>>>> understood this specific requirement of passwords being
>>>>>>>>>>> forced
>>>>>>>>>>> to
>>>>>>>>>>> be of
>>>>>>>>>>> certain type (many sites do it). So, would it be possible to
>>>>>>>>>>> somehow
>>>>>>>>>>> relax this requirement?
>>>>>>>>>>>
>>>>>>>>>>> I'm not a security expert, but is this "your password has to
>>>>>>>>>>> have
>>>>>>>>>>> upper
>>>>>>>>>>> case, lower case, digit, special char" requirement really
>>>>>>>>>>> worth
>>>>>>>>>>> it in a
>>>>>>>>>>> real application?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [1]
>>>>>>>>>>> https://issues.jboss.org/browse/AS7-2756?focusedCommentId=12653165&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12653165
>>>>>>>>>>>
>>>>>>>>>>> -Jaikiran
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> jboss-as7-dev mailing list
>>>>>>>>>>> [hidden email]
>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>>>> _______________________________________________
>>>>>>>>>> jboss-as7-dev mailing list
>>>>>>>>>> [hidden email]
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> jboss-as7-dev mailing list
>>>>>>>>> [hidden email]
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> jboss-as7-dev mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> jboss-as7-dev mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Brian Stansberry
>>>>>> Principal Software Engineer
>>>>>> JBoss by Red Hat
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
12