[openstack-dev] [openstack][keystone] Is the user password too simple?

Gabriel pettier gabriel.pettier at cloudwatt.com
Mon Dec 30 15:36:06 UTC 2013

On Mon, Dec 30, 2013 at 11:15:06PM +0800, Thomas Goirand wrote:
> On 12/30/2013 02:55 PM, li-zheming wrote:
> > hi all:
> >       when create user, you can set user password. You can set password
> > as a simple word 'a'. the
> > password is too simple but not limit. if someone want to steal your
> > password, it is so easily(such as exhaustion).
> > I consider that it must be limited when set password, like this:
> >       1. inlcude uppper and lower letters
> >       2. include nums
> >       3. include particular symbol,such as  '_','&'
> >       4. the length>8
> > administor can set the password rule.
> Hi,
> If you want to check for password complexity, do it the correct way. I'm
> used to *always* use a password generator that uses only lower case, and
> removes chars that can be confused with one another, so that you don't
> have l and 1, or O and 0 in my passwords. Yet, they are high entropy and
> long. If you just force me to add upper+lower case and add symbols, then
> you are just annoying me even with my very good passwords.
> > I want to  provide a BP about  this issue. can you give me some advice
> > or ideas??
> Please use a password entropy function. Something like this:
> https://pypi.python.org/pypi/cracklib
> Thomas
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

I agree with this, if there is a check, it should check general safety, 
rather than expect to fulfill all conditions, if i have a 50 letters
pass (and i do, using full sentences is quite convenient), don't force 
me to have numbers or symbols in it, it's already way harder to crack 
than an 8 chars word with a capital, a number, and a non-alphanumerical 

Gabriel Pettier
Software Engineer at CloudWatt.com 
06 85 10 36 34

More information about the OpenStack-dev mailing list