[Openstack-security] [Bug 1461822] Re: Lack of password complexity verification in Keystone

Liusheng liusheng at huawei.com
Fri Jun 5 02:45:39 UTC 2015


Hi Lance Bragstad, thanks for confirming this, so can I submit a spec
about adding a mechanism about password complexity? that will propose a
optional password managing process and will wait other reviewers'
opinions.

** Changed in: keystone
     Assignee: (unassigned) => Liusheng (liusheng)

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1461822

Title:
  Lack of password complexity verification in Keystone

Status in OpenStack Identity (Keystone):
  Triaged

Bug description:
  Currently, we can specified an arbitrary string as password when
  creating a user (or updating user's password) by keystone. In normally
  use cases, the user's password shouldn't be weak, because it may cause
  potential security issues.

  Keystone should add a mechanism to perform password complexity
  verification, and to fit different scenarios, this mechanism can be
  enabled or disabled by config option. The checking rules should follow
  the industry general standard.

  There is a similar situation about instance's password in Nova, see
  bug[1] and mail thread[2].

  [1] https://bugs.launchpad.net/nova/+bug/1461431
  [2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/065600.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1461822/+subscriptions




More information about the Openstack-security mailing list