[openstack-dev] [openstack][keystone] Is the user password too simple?

li-zheming li-zheming at 163.com
Thu Jan 2 03:22:56 UTC 2014

hi Thomas:
     thank you for your suggestion. I agree with you. cracklib is useful to check
password.  I only give a example to set password, not force use this rule.
I think password scheme should be more discussion.
     I refer to linux password  policy. The Linux password rule is  configurable.
like this:
      PASS_MAX_DAYS   99999
      PASS_MIN_DAYS   0
      PASS_MIN_LEN 5
      PASS_WARN_AGE   7
this is general rule. if you want to set a strength password, you can
use pam_cracklib module.
       so we can also config password policy. someone who don't need
a strength password, they can set general rule in keystone.conf.
someone who need strength password, they can load cracklib(or others)
and check password, and password rule can be set by administor.
this is only my idea,  can you give me more suggestion?thanks!


 在2013年12月30 23时15分,"Thomas Goirand"<zigo at debian.org>写道:

On 12/30/2013 02:55 PM, li-zheming wrote:
> hi all:
>       when create user, you can set user password. You can set password
> as a simple word 'a'. the
> password is too simple but not limit. if someone want to steal your
> password, it is so easily(such as exhaustion).
> I consider that it must be limited when set password, like this:
>       1. inlcude uppper and lower letters
>       2. include nums
>       3. include particular symbol,such as  '_','&'
>       4. the length>8
> administor can set the password rule.


If you want to check for password complexity, do it the correct way. I'm
used to *always* use a password generator that uses only lower case, and
removes chars that can be confused with one another, so that you don't
have l and 1, or O and 0 in my passwords. Yet, they are high entropy and
long. If you just force me to add upper+lower case and add symbols, then
you are just annoying me even with my very good passwords.

> I want to  provide a BP about  this issue. can you give me some advice
> or ideas??

Please use a password entropy function. Something like this:


OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140102/001961c9/attachment.html>

More information about the OpenStack-dev mailing list