[BlueOnyx:09318] Re: Password Enforcement
Chris Gebhardt - VIRTBIZ Internet
cobaltfacts at virtbiz.com
Thu Jan 5 09:14:31 -05 2012
Hi Chris,
Chris Comley wrote:
> It’s getting very annoying trying to create user passwords which don’t
> get sent back for being “too short” or “based on a dictionary word” when
> they are no such thing. The result is very stupid passwords which are
> inherently insecure as the user will have to keep them written down.
I understand that sometimes users will get perturbed at having to come
up with a strong password that the system will understand and they will
remember. After all, people tend to be lazy and shoot for the path of
least resistance. Having been in this business since 1996 and in
"Management, Information Systems" (remember before it was "IT?") before
that, believe me, I get it.
However, with a little coaxing we've found that users can be pushed to
be a little creative here and there. Throw in some numbers or symbols
that look kind of like letters, experiment with spellings, think about
combinations of digits that will help with recall... that sort of thing.
Yes, as you mention the worst case would be the insecurity of a user
writing down their password and keeping it on a sticky-note on their
desk, or in their top drawer, rolodex, what have you. However, if I
compare that insecurity with the risk of a password getting compromised
by a botnet on a brute-force spree then I'd rather go with the risk of
having someone rifle through my desk for my email account password.
> Is there any way to amend the policy, or to just turn it off??
BlueOnyx uses the version of cracklib and its associated libraries that
is distributed by the upstream publisher (Redhat). I'm not sure what
the process of editing / modifying that might be, but it isn't likely to
be pretty.
There was a bit of discussion about this last year when someone asked
about just disabling or removing it. The thread starts here:
http://mail.blueonyx.it/pipermail/blueonyx/2011-April/006851.html
To skip the discussion and head straight to the punchline, this post by
Michael Stauber says (and I'm paraphrasing greatly here): It's not a
good idea. BlueOnyx won't support it. It might be possible to modify,
but you're going to have to edit a TON of BlueOnyx's code to make it
work, and even then you may well break something, or cause something to
break in the future. In other words: Bad idea.
Here is the actual post with Michael's actual words:
http://mail.blueonyx.it/pipermail/blueonyx/2011-April/006870.html
My advice: talk to / work with your users. Get them to wrap their heads
around the concept. Once they understand they "why", they tend to be
more understanding about implementing.
--
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ
More information about the Blueonyx
mailing list