Date: Fri, 27 Oct 2017 10:02:05 -0400 From: Arnold Reinhold <agr@...com> To: passwords@...ts.openwall.com Subject: Re: Real world password policies Here’s what Harvard requires: > Your password must contain: > > Not Started! At least 10 characters and up to 100 characters > > Not Started! At least 3 of the following: uppercase, lowercase, numeric, or special characters > > > It may not include: > > Your email, part of your name, or part of your address > Number sequences of 4 or more numbers > Character repeated 4 or more times > Dictionary words or common acronyms of 5 or more letters (passwords of more than 20 characters are excluded from this rule) Perhaps we need a website of silly password requirements. Arnold Reinhold > On Oct 27, 2017, at 8:38 AM, Solar Designer <solar@...nwall.com> wrote: > > On Fri, Oct 27, 2017 at 01:17:41PM +0200, e@...tmx.net wrote: >> SKYPE: your password can not contain your e-mail username. >> my email username contains A SINGLE LETTER, >> and this letter is "e"!!! >> i can barely create a password without "e" >> >> can anyone ever get stupider than microsoft? > > Red Hat managed to match that - the exact same problem occurs on RHEL7 > and Fedora: > > https://twitter.com/solardiz/status/792169468575289344 > > "1-char username, long password. RHEL7 pam_pwquality says "BAD PASSWORD: > The password contains the user name in some form". I say BAD RHEL7." > > (and follow-ups in that tweet thread). > > A way to keep this sort of checks sane is to exclude the problematic > substring(s), such as the username, when testing the remainder of the > password string against the policy. That's what passwdqc does, and it > also disregards too-short substrings from this treatment. > > passwdqc was included in Red Hat's repositories for older RHEL, but > unfortunately they dropped it starting with RHEL7. > > (Of course, I am biased.) > > Alexander Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.