[openstack-dev] [openstack][keystone] Is the user password too simple?

Morgan Fainberg m at metacloud.com
Thu Jan 2 05:00:37 UTC 2014


That is fine for some cases but we provide non-ldap backends, and a
read/write backend. If we continue to provide a keystone specific idp
(likely we need to), these features are a must-have in the long run.  Just
my view (and requests from real customers). It's all well and good to
recommend ldap and handle all that logic in the IDP,  but many use-cases
don't allow for that configuration.  I think providing partial or "toy"
implementations is suboptimal from a product completeness standpoint / user
and deployer experience.


On Wednesday, January 1, 2014, li-zheming wrote:

> hi Thomas:
>      thank you for your suggestion. I agree with you. cracklib is useful
> to check
> password.  I only give a example to set password, not force use this rule.
> I think password scheme should be more discussion.
>      I refer to linux password  policy. The Linux password rule is
> configurable.
> like this:
>       PASS_MAX_DAYS   99999
>       PASS_MIN_DAYS   0
>       PASS_MIN_LEN 5
>       PASS_WARN_AGE   7
> this is general rule. if you want to set a strength password, you can
> use pam_cracklib module.
>        so we can also config password policy. someone who don't need
> a strength password, they can set general rule in keystone.conf.
> someone who need strength password, they can load cracklib(or others)
> and check password, and password rule can be set by administor.
> this is only my idea,  can you give me more suggestion?thanks!
> --lizheming
>  在2013年12月30 23时15分,"Thomas Goirand"<zigo at debian.org <javascript:_e({},
> 'cvml', 'zigo at debian.org');>>写道:
> On 12/30/2013 02:55 PM, li-zheming wrote:
> > hi all:
> >       when create user, you can set user password. You can set password
> > as a simple word 'a'. the
> > password is too simple but not limit. if someone want to steal your
> > password, it is so easily(such as exhaustion).
> > I consider that it must be limited when set password, like this:
> >       1. inlcude uppper and lower letters
> >       2. include nums
> >       3. include particular symbol,such as  '_','&'
> >       4. the length>8
> > administor can set the password rule.
> Hi,
> If you want to check for password complexity, do it the correct way. I'm
> used to *always* use a password generator that uses only lower case, and
> removes chars that can be confused with one another, so that you don't
> have l and 1, or O and 0 in my passwords. Yet, they are high entropy and
> long. If you just force me to add upper+lower case and add symbols, then
> you are just annoying me even with my very good passwords.
> > I want to  provide a BP about  this issue. can you give me some advice
> > or ideas??
> Please use a password entropy function. Something like this:
> https://pypi.python.org/pypi/cracklib
> Thomas
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org <javascript:_e({}, 'cvml',
> 'OpenStack-dev at lists.openstack.org');>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140101/edce0144/attachment.html>

More information about the OpenStack-dev mailing list