[BlueOnyx:09319] Re: Password Enforcement

[rodrigo ordonez]

I think creatin the user with the command line tools will avoid cracklib

Hth

Rodrigo o
Servicio email BlackBerry® xnet

-----Original Message-----
From: Chris Gebhardt - VIRTBIZ Internet <cobaltfacts at virtbiz.com>
Sender: blueonyx-bounces at mail.blueonyx.it
Date: Thu, 05 Jan 2012 08:14:31 
To: BlueOnyx General Mailing List<blueonyx at mail.blueonyx.it>
Reply-To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Subject: [BlueOnyx:09318] Re: Password Enforcement

Hi Chris,

Chris Comley wrote:
> It’s getting very annoying trying to create user passwords which don’t 
> get sent back for being “too short” or “based on a dictionary word” when 
> they are no such thing. The result is very stupid passwords which are 
> inherently insecure as the user will have to keep them written down.

I understand that sometimes users will get perturbed at having to come 
up with a strong password that the system will understand and they will 
remember.  After all, people tend to be lazy and shoot for the path of 
least resistance.  Having been in this business since 1996 and in 
"Management, Information Systems" (remember before it was "IT?") before 
that, believe me, I get it.

However, with a little coaxing we've found that users can be pushed to 
be a little creative here and there.  Throw in some numbers or symbols 
that look kind of like letters, experiment with spellings, think about 
combinations of digits that will help with recall... that sort of thing.

Yes, as you mention the worst case would be the insecurity of a user 
writing down their password and keeping it on a sticky-note on their 
desk, or in their top drawer, rolodex, what have you.   However, if I 
compare that insecurity with the risk of a password getting compromised 
by a botnet on a brute-force spree then I'd rather go with the risk of 
having someone rifle through my desk for my email account password.

> Is there any way to amend the policy, or to just turn it off??

BlueOnyx uses the version of cracklib and its associated libraries that 
is distributed by the upstream publisher (Redhat).  I'm not sure what 
the process of editing / modifying that might be, but it isn't likely to 
be pretty.

There was a bit of discussion about this last year when someone asked 
about just disabling or removing it.   The thread starts here:
http://mail.blueonyx.it/pipermail/blueonyx/2011-April/006851.html

To skip the discussion and head straight to the punchline, this post by 
Michael Stauber says (and I'm paraphrasing greatly here): It's not a 
good idea.  BlueOnyx won't support it.  It might be possible to modify, 
but you're going to have to edit a TON of BlueOnyx's code to make it 
work, and even then you may well break something, or cause something to 
break in the future.   In other words:  Bad idea.

Here is the actual post with Michael's actual words:
http://mail.blueonyx.it/pipermail/blueonyx/2011-April/006870.html

My advice: talk to / work with your users.  Get them to wrap their heads 
around the concept.  Once they understand they "why", they tend to be 
more understanding about implementing.

-- 
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx