[Openstack-security] [Bug 1461433] Re: Automatically generated admin password is not complex enough
Markus Zoeller
mzoeller at de.ibm.com
Wed Jun 3 15:39:52 UTC 2015
** Tags added: documentation security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1461433
Title:
Automatically generated admin password is not complex enough
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
Incomplete
Bug description:
When performing actions such as create instances, evacuate instances,
rebuild instances, rescue instances and update instances' admin
password. When the user dose not provide admin password,
generate_password() in utils.py is used to generate an admin password.
Generate_password() now uses two password symbol groups: default and
easier, the default symbol group contains numbers, upper case letters
and small case letters. the easier symbol group contains only numbers
and upper case letters. The generated password is not complex enough
and can cause security problems.
One possible solution is to add a new symbol group:
STRONGER_PASSWORD_SYMBOLS which contains numbers, upper case letters,
lower case letters and also special characters such as
`~!@#$%^&*()-_=+ and space. Then adding a new option in configuration
file: generate_strong_password = True, when this option is set, nova
will generate password using STRONGER_PASSWORD_SYMBOLS symbol group
and with longer password length. If this option is not set, the
password will be generated using the default symbol group and default
length.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1461433/+subscriptions
More information about the Openstack-security
mailing list