[Openstack-security] [Bug 1461822] Re: Lack of password complexity verification in Keystone
David Stanek
dstanek at dstanek.com
Sun Jun 7 16:26:17 UTC 2015
Liusheng ,
Feel free to write a spec, but I don't think you'll get much support at
this point. Do you know if there is a user-driven demand?
An existing blueprint from last year:
https://blueprints.launchpad.net/keystone/+spec/strong-password-
enforcement
A related blueprint that I worked on, but it mostly got stopped because
the concensus was not to add IdP features since we don't want Keystone
to be an IdP: https://blueprints.launchpad.net/keystone/+spec/password-
rotation
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1461822
Title:
Lack of password complexity verification in Keystone
Status in OpenStack Identity (Keystone):
Triaged
Bug description:
Currently, we can specified an arbitrary string as password when
creating a user (or updating user's password) by keystone. In normally
use cases, the user's password shouldn't be weak, because it may cause
potential security issues.
Keystone should add a mechanism to perform password complexity
verification, and to fit different scenarios, this mechanism can be
enabled or disabled by config option. The checking rules should follow
the industry general standard.
There is a similar situation about instance's password in Nova, see
bug[1] and mail thread[2].
[1] https://bugs.launchpad.net/nova/+bug/1461431
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/065600.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1461822/+subscriptions
More information about the Openstack-security
mailing list