[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] RaQ needs to be more picky about passwords
- Subject: Re: [cobalt-security] RaQ needs to be more picky about passwords
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Fri, 12 Apr 2002 23:14:12 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
"BobbyT" <silly@xxxxxxxxxx> wrote:
> The RaQ should have a javascript that nags the user if they enter a
> password that doesnt contain at least one number or capitol letter or
> funny character or matches the user name (or both). This would greatly
> increase security on non-supervised account creation or on password
> changes.
I think it's a great idea to implement on your system if you can. I usually
suggest that my clients consider enforcing strong passwords, but many of
them are reluctant. Unfortunately many users prefer to be able to set
passwords as they see fit. And though simple passwords are easy to crack
they are also easy for the user to remember. One has to balance security
with usability.
> Here's a sample script that would check to make sure the user has used
> at least One upper, lower and number in their password.
I think JS code like the code you included is a good step. I doubt Sun will
ever force strong passwords, but it would be nice if the next generation GUI
had that as a server admin config option. My guess is if they forced strong
passwords there would be many server admins who cry foul because they now
have to force their users to adapt to the system. I prefer to run John the
Ripper to check for weak passwords. Even if you don't enforce strong
passwords, using John the Ripper to find weak passwords isn't a bad idea.
Better to know how many users have weak passwords and who they are than to
have no idea at all.
http://www.openwall.com/john/
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/