Open Stack

Public bug reported:

Currently, we can specified an arbitrary string as password when
creating a user (or updating user's password) by keystone. In normally
use cases, the user's password shouldn't be weak, because it may cause
potential security issues.

Keystone should add a mechanism to perform password complexity
verification, and to fit different scenarios, this mechanism can be
enabled or disabled by config option. The checking rules should follow
the industry general standard.

There is a similar situation about instance's password in Nova, see
bug[1] and mail thread[2].

[1] https://bugs.launchpad.net/nova/+bug/1461431
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/065600.html

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: security

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1461822

Title:
  Lack of password complexity verification in Keystone

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Currently, we can specified an arbitrary string as password when
  creating a user (or updating user's password) by keystone. In normally
  use cases, the user's password shouldn't be weak, because it may cause
  potential security issues.

  Keystone should add a mechanism to perform password complexity
  verification, and to fit different scenarios, this mechanism can be
  enabled or disabled by config option. The checking rules should follow
  the industry general standard.

  There is a similar situation about instance's password in Nova, see
  bug[1] and mail thread[2].

  [1] https://bugs.launchpad.net/nova/+bug/1461431
  [2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/065600.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1461822/+subscriptions