[Openstack-security] [Bug 1461822] Re: Lack of password complexity verification in Keystone

David Stanek dstanek at dstanek.com
Thu Aug 27 16:38:07 UTC 2015 

Marking as WONTFIX because we are actively trying not to build a full
IdP solution into Keystone.

** Changed in: keystone
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1461822

Title:
  Lack of password complexity verification in Keystone

Status in Keystone:
  Won't Fix

Bug description:
  Currently, we can specified an arbitrary string as password when
  creating a user (or updating user's password) by keystone. In normally
  use cases, the user's password shouldn't be weak, because it may cause
  potential security issues.

  Keystone should add a mechanism to perform password complexity
  verification, and to fit different scenarios, this mechanism can be
  enabled or disabled by config option. The checking rules should follow
  the industry general standard.

  There is a similar situation about instance's password in Nova, see
  bug[1] and mail thread[2].

  [1] https://bugs.launchpad.net/nova/+bug/1461431
  [2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/065600.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1461822/+subscriptions

More information about the Openstack-security mailing list