From: Vincent D. <de...@fr...> - 2007-05-04 07:01:18
|
Hi all, It is not the password the weak point of the authentication method (yes, you can add constraints on password but...). I mean, you just need to present a cookie (MANTIS_COOKIE_STRING) with a "good" value to authenticate and you can try and try a lot of values wihtout any problem (try 3 password and the account is locked, try 3 cookie values and you can continue...). So maybe it is necessary to blacklist (for a while) the IP or send an email to the administrator when 3 different cookie values have been presented. Vincent > Hi Leandro, > > At the moment Mantis doesn't enforce any password strength criteria. > However, I believe it would be a good idea if we can eventually add a > hook for that. This way there can be implementations that does such > check like: > > 1. Password Length > 2. Contains upper case, lower case, symbols, numbers kind of policy. > 3. Different from login name kind of policy > 4. Not dictionary based > > Please report a feature request in the bug tracker for this and > include above text. Thanks. > > Any code contributions are welcome. > > On 5/3/07, Leandro <lla...@ya...> wrote: >> >> >> How can I set minimum password length ? >> >> Regards. >> Leandro. -- Mantis Plugin: <http://deboutv.free.fr/mantis/> |