Re: [mantisbt-dev] [mantisbt-help] How can I set minimum password length ?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi all,

It is not the password the weak point of the authentication method (yes,
you can add constraints on password but...). I mean, you just need to
present a cookie (MANTIS_COOKIE_STRING) with a "good" value to
authenticate and you can try and try a lot of values wihtout any problem
(try 3 password and the account is locked, try 3 cookie values and you can
continue...).
So maybe it is necessary to blacklist (for a while) the IP or send an
email to the administrator when 3 different cookie values have been
presented.

Vincent

> Hi Leandro,
>
> At the moment Mantis doesn't enforce any password strength criteria.
> However, I believe it would be a good idea if we can eventually add a
> hook for that.  This way there can be implementations that does such
> check like:
>
> 1. Password Length
> 2. Contains upper case, lower case, symbols, numbers kind of policy.
> 3. Different from login name kind of policy
> 4. Not dictionary based
>
> Please report a feature request in the bug tracker for this and
> include above text.  Thanks.
>
> Any code contributions are welcome.
>
> On 5/3/07, Leandro <lla...@ya...> wrote:
>>
>>
>> How can I set minimum password length ?
>>
>> Regards.
>> Leandro.

-- 
Mantis Plugin: <http://deboutv.free.fr/mantis/>