[openstack-dev] [openstack][keystone] Is the user password too simple?
gabriel.pettier at cloudwatt.com
Mon Dec 30 15:36:06 UTC 2013
On Mon, Dec 30, 2013 at 11:15:06PM +0800, Thomas Goirand wrote:
> On 12/30/2013 02:55 PM, li-zheming wrote:
> > hi all:
> > when create user, you can set user password. You can set password
> > as a simple word 'a'. the
> > password is too simple but not limit. if someone want to steal your
> > password, it is so easily(such as exhaustion).
> > I consider that it must be limited when set password, like this:
> > 1. inlcude uppper and lower letters
> > 2. include nums
> > 3. include particular symbol，such as '_','&'
> > 4. the length>8
> > administor can set the password rule.
> If you want to check for password complexity, do it the correct way. I'm
> used to *always* use a password generator that uses only lower case, and
> removes chars that can be confused with one another, so that you don't
> have l and 1, or O and 0 in my passwords. Yet, they are high entropy and
> long. If you just force me to add upper+lower case and add symbols, then
> you are just annoying me even with my very good passwords.
> > I want to provide a BP about this issue. can you give me some advice
> > or ideas??
> Please use a password entropy function. Something like this:
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
I agree with this, if there is a check, it should check general safety,
rather than expect to fulfill all conditions, if i have a 50 letters
pass (and i do, using full sentences is quite convenient), don't force
me to have numbers or symbols in it, it's already way harder to crack
than an 8 chars word with a capital, a number, and a non-alphanumerical
Software Engineer at CloudWatt.com
06 85 10 36 34
More information about the OpenStack-dev