[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Health-dev] Script to generate / update Tryton master password agai
|
From: |
Chris |
|
Subject: |
Re: [Health-dev] Script to generate / update Tryton master password against cracklib |
|
Date: |
Thu, 30 Oct 2014 15:50:54 -0700 |
|
User-agent: |
Mutt/1.5.23 (2014-03-12) |
Hey!
On 10/29/14, Luis Falcon wrote:
> Hi team
>
> I have created a basic python script ("serverpass.py"), that allows to
> generate or update the Tryton master password, and validate it against
> cracklib[1].
>
> The goal is to harden the security, as well as to facilitate its
> generation without editing manually the configuration file.
>
> It's done for GNU Health. Starting GNU Health 2.8, it will be called in
> the standard installation program (gnuhealth_install.sh), but it is
> also a stand-alone program, to update the password
>
> You can check the latest version at the GNU Health mercurial
> repository[2], in the default branch, browsing under
> "tryton/scripts/security" directory .
>
> I hope it can be useful to general Tryton installations, so I'm copying
> it to tryton-contrib list. It's just starting, so expect
> bugs, backup your configuration file, and don't use it in production
> environments yet :)
>
> Next should be checking for bad passwords at user level.
>
> Suggestions are most welcome.
I think it's a good start. Another angle is a blacklist of disallowed
passwords and roots. Dictionary attacks are powerful. Add some brute
force limiting, and that's probably good enough until we add something
more. (e.g., two-factor, etc.) I'll have to cross that bridge on the
FHIR server eventually, too.
-C