Date: Fri, 27 Oct 2017 14:38:47 +0200 From: Solar Designer <solar@...nwall.com> To: passwords@...ts.openwall.com Subject: Re: Real world password policies On Fri, Oct 27, 2017 at 01:17:41PM +0200, e@...tmx.net wrote: > SKYPE: your password can not contain your e-mail username. > my email username contains A SINGLE LETTER, > and this letter is "e"!!! > i can barely create a password without "e" > > can anyone ever get stupider than microsoft? Red Hat managed to match that - the exact same problem occurs on RHEL7 and Fedora: https://twitter.com/solardiz/status/792169468575289344 "1-char username, long password. RHEL7 pam_pwquality says "BAD PASSWORD: The password contains the user name in some form". I say BAD RHEL7." (and follow-ups in that tweet thread). A way to keep this sort of checks sane is to exclude the problematic substring(s), such as the username, when testing the remainder of the password string against the policy. That's what passwdqc does, and it also disregards too-short substrings from this treatment. passwdqc was included in Red Hat's repositories for older RHEL, but unfortunately they dropped it starting with RHEL7. (Of course, I am biased.) Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.