[openstack-dev] [nova][security] Enable user password complexity verification

郑振宇 zheng.zhenyu at outlook.com
Wed Jun 3 09:48:10 UTC 2015

Hi All,
The current OpenStack does not provide user password complexity verification option.
When performing actions such as create instances, evacuate instances, rebuild instances, rescue instances and update instances' admin password. The complexity of user provided admin password has not been verified. This can cause security problems. 
One solution will be adding a configuration option: using_complex_admin_password = True, if this option is set in configure file by administrator, then Nova will perform password complexity checks, the check standards can be set to following the IT industry general standard, if the provided admin password is not complex enough, an exception will be throw. If this option is not set in configure file, then the complexity check will be skipped.
When the user dose not provide admin password, generate_password() in utils.py is used to generate an admin password. Generate_password() now uses two password symbol groups: default and easier, the default symbol group contains numbers, upper case letters and small case letters. the easier symbol group contains only numbers and upper case letters. The generated password is not complex enough and can also cause security problems.
One possible solution is to add a new symbol group: STRONGER_PASSWORD_SYMBOLS which contains numbers, upper case letters, lower case letters and also special characters such as `~!@#$%^&*()-_=+ and space. Then adding a new option in configuration file: generate_strong_password = True, when this option is set, nova will generate password using STRONGER_PASSWORD_SYMBOLS symbol group and with longer password length. If this option is not set, the password will be generated using the default symbol group and default length.
AWS allows the selection of password policy to configure which kind of password complexity is used in the cloud. Please see:http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingPasswordPolicies.html
And about the standard of complexity, Microsoft also have an advise about it, please see:https://technet.microsoft.com/en-us/library/hh994562%28v=ws.10%29.aspx
Thanks,BR,Zhenyu Zheng 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150603/7adcf3e5/attachment.html>

More information about the OpenStack-dev mailing list