|
From: SourceForge.net <no...@so...> - 2011-08-24 12:18:13
|
Feature Requests item #2752992, was opened at 2009-04-11 09:24 Message generated for change (Comment added) made by libertytrek You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937967&aid=2752992&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: None Status: Closed Resolution: Duplicate Priority: 5 Private: No Submitted By: Charles (libertytrek) Assigned to: Nobody/Anonymous (nobody) Summary: Cracklib support for strong passwords Initial Comment: I'd love to see support for the use of cracklib, where the Admin can define the password criteria on a per-domain basis, in a simple screen... Min Length: Duration: # of Upper Case characters: # of Lower Case characters: # of Number characters: # of Non-AlphaNumeric characters: Illegal characters: Hmmm... duration would also require Cron support I guess... and also the ability to send email notifications (similar to Quota notifications) so the user knows when they need to change it - maybe even with a link to a secure change password page so if they let it expire, they can still go change it without having to call support... ---------------------------------------------------------------------- Comment By: Charles (libertytrek) Date: 2011-08-24 08:18 Message: Well, a couple of thoughts... Using just the regexes doesn't provide the protection of testing the password for crackability like using cracklib. You could specify the regexes like you suggest, but the user could still create a fairly simple password that would be easy for a dictionary cracker to crack. I still think cracklib support would be good, as a final way to 'test' the password for complexity. But yes, the regexes get us part way there... ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2011-08-23 19:28 Message: Your requirements should be able to fulfill with a set of RegExes, for example "at least 2 uppercase characters" would be "/[A-Z].*[A-Z]/". Therefore I'm closing this as duplicate of http://sourceforge.net/tracker/?func=detail&aid=1785513&group_id=191583&atid=937967 The only exception is the duration / expiration date of passwords - but that's something I'm not planning to implement because it would be the only thing requiring a cron job. BTW, how would you enforce this? Disabling SMTP and POP3 logins is insane (and would even be possible without a cronjob - do it in SQL), and users won't care much if they only get a warning in PostfixAdmin. Besides activating vacation, most users never login in PostfixAdmin. If you only want to send a "please change your password" mail, this can easily be done with an additional field for the expiration date and an external cron script. (I'd accept a patch and a script for ADDITIONS/, but won't do it myself.) Therefore closing as 90% duplicate and 10% wontfix ;-) If you don't agree, feel free to reopen. ---------------------------------------------------------------------- Comment By: Charles (libertytrek) Date: 2011-01-02 17:23 Message: I'd still like to see this happen, although I no longer have any interest in setting a duration, so no cron support would be required... ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-04-18 02:59 Message: Is there anything else you'd like adding ? :-) It seems a good idea - and there is http://pecl.php.net/package/crack which would help somewhat. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937967&aid=2752992&group_id=191583 |
