Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171027123847.GA23527@openwall.com>
Date: Fri, 27 Oct 2017 14:38:47 +0200
From: Solar Designer <solar@...nwall.com>
To: passwords@...ts.openwall.com
Subject: Re: Real world password policies

On Fri, Oct 27, 2017 at 01:17:41PM +0200, e@...tmx.net wrote:
> SKYPE: your password can not contain your e-mail username.
> my email username contains A SINGLE LETTER,
> and this letter is "e"!!!
> i can barely create a password without "e"
> 
> can anyone ever get stupider than microsoft?

Red Hat managed to match that - the exact same problem occurs on RHEL7
and Fedora:

https://twitter.com/solardiz/status/792169468575289344

"1-char username, long password. RHEL7 pam_pwquality says "BAD PASSWORD:
The password contains the user name in some form". I say BAD RHEL7."

(and follow-ups in that tweet thread).

A way to keep this sort of checks sane is to exclude the problematic
substring(s), such as the username, when testing the remainder of the
password string against the policy.  That's what passwdqc does, and it
also disregards too-short substrings from this treatment.

passwdqc was included in Red Hat's repositories for older RHEL, but
unfortunately they dropped it starting with RHEL7.

(Of course, I am biased.)

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.