[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] RaQ needs to be more picky about passwords

Subject: [cobalt-security] RaQ needs to be more picky about passwords
From: BobbyT <silly@xxxxxxxxxx>
Date: Fri, 12 Apr 2002 14:47:39 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Suggestion for Sun Developers...
A lot of RaQ admins allow users to create additional accounts and
passwords on their own via the personal control panel.  I've noticed
people are using really simple words for passwords and changing my
complicated ones to simple ones at the risk of my machine's security.
Such words can be found on their own websites making it an easy hack.
The RaQ should have a javascript that nags the user if they enter a
password that doesnt contain at least one number or capitol letter or
funny character or matches the user name (or both). This would greatly
increase security on non-supervised account creation or on password
changes.

I'm sure it would be easy to place one of those in the add user screen.  If I
feel gutsy enough, I may add one to my gui next week but I think all
cobalt users could benefit from such an idea if sun included it in their
next update.  

Here's a sample script that would check to make sure the user has used
at least One upper, lower and number in their password.  You could
change that 3rd && statement to a || , so they have an option between
at least one letter in caps OR one number somewhere in the password. But
using and is a little more strict and secure so they have to use both.

function checkPassword (strng) {
 var error = "";
 if (strng == "") {
 error = "You didn't enter a password.\n";
                                   }
 var illegalChars = /[\W_]/; // allow only letters and numbers
 if ((strng.length < 6) || (strng.length > 8)) {
    error = "The password must be between 6 and 8 characters.\n";
 }
 else if (illegalChars.test(strng)) {
  error = "The password contains illegal characters.\n";
 }
else if (!((strng.search(/(a-z)+/))
 && (strng.search(/(A-Z)+/))
 && (strng.search(/(0-9)+/)))) {
 error = "The password must contain at least one 
 uppercase letter, one lowercase letter, and one numeral.\n";
}

Comments?  Suggestions? Scripts?
I await your replies.

P.S. Why doesn't the raq allow more than 8 characters in passwords?  It
ignores anything past 8 that you enter.  My root password ended up being
half the size.

Follow-Ups:
- Re: [cobalt-security] RaQ needs to be more picky about passwords
  - From: Steve Werby
- Re: [cobalt-security] RaQ needs to be more picky about passwords
  - From: Jeff Lasman

Prev by Date: [cobalt-security] Reverse Problem
Next by Date: Re: [cobalt-security] Reverse Problem
Previous by thread: Re: [cobalt-security] Reverse Problem
Next by thread: Re: [cobalt-security] RaQ needs to be more picky about passwords

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index