Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add setting for minimal password length [CORE5156] #5439

Open
firebird-automations opened this issue Mar 18, 2016 · 8 comments
Open

Add setting for minimal password length [CORE5156] #5439

firebird-automations opened this issue Mar 18, 2016 · 8 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @pavel-zotov

Attachments:
userman.py.7z

Votes: 1

Currently one may to change password of existing user to empty string ( '' ) - example can be seen in attached python script.
It will be useful to have configurable setting that will prevent such changes and also will require minimal number of different characters in password (in order to exclude trivial cases like: 'aaaaa', 'qwe' etc).

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

priority: Major [ 3 ] => Minor [ 4 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

Attachment: userman.py.7z [ 12923 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @aafemt

As we have a plugin-based security now, this option should be in plugin's config, IMHO.

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Or it may be enforced for all plugins.

@firebird-automations
Copy link
Collaborator Author

Commented by: @sim1984

This improvement should affect not only the length of the password. It is necessary to define some security policies that other properties such as password complexity, password expiration, etc.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

Fix Version: 4.1 Initial [ 10961 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @mrotteveel

I'm not sure if adding rules for password complexity makes sense. The general consensus in the security community is that complexity rules make passwords actually less complex and less secure, not more, because it reduces the keyspace and cause users to create more predictable passwords. The same goes for password expiration rules, they cause users to select easier to guess passwords based on their previous password. And although setting a minimum password length is a good idea, abusing such a feature to force users to create a very long password also leads to less secure passwords (e.g. because the password is actually a shorter password repeated twice, or uses a predictable pattern).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants