[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-users] password must contain multiple character classes...
From: |
Ineiev |
Subject: |
Re: [Savannah-users] password must contain multiple character classes... |
Date: |
Thu, 02 May 2013 15:15:14 +0000 |
Hello,
It looks like the relevant files are
frontend.sv.gnu.org:/var/www/savane/frontend/php/include/init.php
frontend.sv.gnu.org:/var/www/savane/frontend/php/include/account.php
(the repository being GIT of
http://savannah.gnu.org/projects/savane-cleanup).
Currently it uses default pwqcheck options to check the passwords
(max=40, min=disabled,24,11,8,7), which means that the message
in account.php (account_password_help) ("not too short,
must contain multiple character classes...") is not exact: it may
contain two character classes if its length is 24 or more;
I think this uncertainty could be adderessed if the help message
is modified like "long enough or containing multiple character
classes &c", with exact pwqcheck options displayed.
Now, I can see two specific suggestions about the checks in this
thread (a patch is attached):
(0) Allow single-class passwords if they are long enough.
NIST Electronic Authentification Gudeline [0] suggests that
22 characters long user-chosen password composed from 10-character
alphabet has the same entropy as 7 characters long user-chosen
extensively checked password, so it must be safe to replace
"disabled" with "24".
(1) Allow longer passwords.
I think 256 bytes should be sufficient: even if 3-byte UTF-8
characters are used, it would be about 90 symbols, and it is hard
to expect that longer passwords may be useful.
[0] http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf
(Table A.1 on page 107)
diff --git a/frontend/php/include/account.php b/frontend/php/include/account.php
index f81635f..e757500 100644
--- a/frontend/php/include/account.php
+++ b/frontend/php/include/account.php
@@ -24,11 +24,13 @@
require_once(dirname(__FILE__).'/pwqcheck.php');
function account_password_help() {
- global $use_pwqcheck;
- $help = _("(not too short, must contain multiple character classes: symbols,
digits (0-9), upper and lower case letters)");
+ global $use_pwqcheck, $pwqcheck_args;
+ $help = _("(long enough or containing multiple character classes: symbols,
digits (0-9), upper and lower case letters)");
if ($use_pwqcheck) {
$pwqgen = exec("pwqgen");
- $help .= " ".sprintf(_("(for instance: %s)"), htmlspecialchars($pwqgen));
+ $help .= " ".sprintf(_("(for instance: %s)."), htmlspecialchars($pwqgen));
+ $help .= " ".sprintf(_("pwqcheck options are: '%s'"),
+ htmlspecialchars($pwqcheck_args));
}
return $help;
}
diff --git a/frontend/php/include/init.php b/frontend/php/include/init.php
index 7b17312..3e7ab80 100644
--- a/frontend/php/include/init.php
+++ b/frontend/php/include/init.php
@@ -88,9 +88,17 @@ $sys_debug_sqlprofiler = false;
// Do we have the pwqcheck(1) program from the passwdqc package?
$use_pwqcheck = TRUE;
// We can override the default password policy
-$pwqcheck_args = '';
-#$pwqcheck_args = 'config=/etc/passwdqc.conf';
-
+// max=40 is overridden because some users want longer passwords.
+// min=default,24,11,8,7 is overridden for N0 passwords
+// (the passwords consisting of characters from single class)
+// because NIST Electronic Authentification Gudeline
+// (Special Publication 800-63-1, Table A.1 on page 107
+// http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf)
+// suggests that user-chosen 7 characters long password passing extensive
+// checks has 27 bits of entropy, the same as 22 characters long
+// user-chosen password composed from 10-character alphabet with no checks
+// implied, so we can safely admit any 24 characters long passwords.
+$pwqcheck_args = 'max=256 min=24,24,11,8,7';
# autoconf-based:
require_once(dirname(__FILE__).'/ac_config.php');
- Re: [Savannah-users] password must contain multiple character classes...,
Ineiev <=
- Re: [Savannah-users] password must contain multiple character classes..., Karl Berry, 2013/05/02
- Re: [Savannah-users] password must contain multiple character classes..., Bob Proulx, 2013/05/02
- Re: [Savannah-users] password must contain multiple character classes..., Ineiev, 2013/05/03
- Re: [Savannah-users] password must contain multiple character classes..., Bob Proulx, 2013/05/03
- Re: [Savannah-users] password must contain multiple character classes..., Ineiev, 2013/05/04
- Re: [Savannah-users] password must contain multiple character classes..., Bob Proulx, 2013/05/06
- Re: [Savannah-users] password must contain multiple character classes..., Ineiev, 2013/05/06
- Re: [Savannah-users] password must be more complicated, Bruce Korb, 2013/05/06