Re: [mod-security-users] Enforce password complexity regex
Brought to you by:
victorhora,
zimmerletw
From: <chr...@po...> - 2009-02-13 07:24:23
|
Hey guys, I am sure you would all do great in a perl golf contest. However, I believe you are all misleading a newbie user. Of course is it possible to apply these rules and thus enforce a strong password via ModSecurity. But is it smart? Enforcing the password policy via ModSecurity is bad. The code handling the password update process should take care of that. That code is hopefully configurable, it's the point where an operator would look for the definition and it is likely it can be updated without reloading the apache. Johann Peeters had a talk about this problem and how you end up messing up your architecture with these techniques. "Input validation: the Good, the Bad and the Ugly" http://www.owasp.org/images/4/4c/AppSecEU08-JohanPeeters.pdf Use ModSecurity to defend against attacks (-> limit the password to a sane maximum length and the characters you are willing to accept). But please do not tell a newbie to construct a raging ruleset he won't understand without lengthy comments. Regs, Christian P.S. Lookahead is no problem if your regex library supports it. It's very useful in whitelisting setups. -- Christian Folini, IT 222 Webserver Security Engineer |