Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#51 Cracklib support for strong passwords

open-duplicate
nobody
Core (30)
5
2014-01-18
2009-04-11
Charles
No

I'd love to see support for the use of cracklib, where the Admin can define the password criteria on a per-domain basis, in a simple screen...

Min Length:
Duration:
# of Upper Case characters:
# of Lower Case characters:
# of Number characters:
# of Non-AlphaNumeric characters:
Illegal characters:

Hmmm... duration would also require Cron support I guess... and also the ability to send email notifications (similar to Quota notifications) so the user knows when they need to change it - maybe even with a link to a secure change password page so if they let it expire, they can still go change it without having to call support...

Discussion

  • GingerDog
    GingerDog
    2009-04-18

    Is there anything else you'd like adding ? :-)

    It seems a good idea - and there is http://pecl.php.net/package/crack which would help somewhat.

     
  • Charles
    Charles
    2011-01-02

    I'd still like to see this happen, although I no longer have any interest in setting a duration, so no cron support would be required...

     
    • status: open --> closed-duplicate
     
  • Your requirements should be able to fulfill with a set of RegExes, for example "at least 2 uppercase characters" would be "/[A-Z].*[A-Z]/". Therefore I'm closing this as duplicate of
    http://sourceforge.net/tracker/?func=detail&aid=1785513&group_id=191583&atid=937967

    The only exception is the duration / expiration date of passwords - but that's something I'm not planning to implement because it would be the only thing requiring a cron job.

    BTW, how would you enforce this? Disabling SMTP and POP3 logins is insane (and would even be possible without a cronjob - do it in SQL), and users won't care much if they only get a warning in PostfixAdmin. Besides activating vacation, most users never login in PostfixAdmin.

    If you only want to send a "please change your password" mail, this can easily be done with an additional field for the expiration date and an external cron script. (I'd accept a patch and a script for ADDITIONS/, but won't do it myself.)

    Therefore closing as 90% duplicate and 10% wontfix ;-)

    If you don't agree, feel free to reopen.

     
    • Charles
      Charles
      2014-01-18

      BTW, how would you enforce this? Disabling SMTP and POP3 logins is insane
      (and would even be possible without a cronjob - do it in SQL), and users
      won't care much if they only get a warning in PostfixAdmin. Besides
      activating vacation, most users never login in PostfixAdmin.

      Enforcement would simply be by refusing to change the password.

      Again, I'm no longer interested in 'expiring' passwords, just preventing users from changing their initially assigned (and strong) passwords to something insecure.

       
  • Charles
    Charles
    2011-08-24

    Well, a couple of thoughts...

    Using just the regexes doesn't provide the protection of testing the password for crackability like using cracklib.

    You could specify the regexes like you suggest, but the user could still create a fairly simple password that would be easy for a dictionary cracker to crack.

    I still think cracklib support would be good, as a final way to 'test' the password for complexity.

    But yes, the regexes get us part way there...

     
  • Charles
    Charles
    2011-08-24

    • status: closed-duplicate --> open-duplicate
     
  • Charles
    Charles
    2014-01-18

    Coming back to this because I'd still like to see proper support for cracklib, a library designed for precisely this purpose, and so as to not have to rely on fragile regexes.