|
Message-id: <039956A8-E135-4D4B-BDA3-8921DC2ECD33@me.com>
Date: Fri, 27 Oct 2017 10:02:05 -0400
From: Arnold Reinhold <agr@...com>
To: passwords@...ts.openwall.com
Subject: Re: Real world password policies
Here’s what Harvard requires:
> Your password must contain:
>
> Not Started! At least 10 characters and up to 100 characters
>
> Not Started! At least 3 of the following: uppercase, lowercase, numeric, or special characters
>
>
> It may not include:
>
> Your email, part of your name, or part of your address
> Number sequences of 4 or more numbers
> Character repeated 4 or more times
> Dictionary words or common acronyms of 5 or more letters (passwords of more than 20 characters are excluded from this rule)
Perhaps we need a website of silly password requirements.
Arnold Reinhold
> On Oct 27, 2017, at 8:38 AM, Solar Designer <solar@...nwall.com> wrote:
>
> On Fri, Oct 27, 2017 at 01:17:41PM +0200, e@...tmx.net wrote:
>> SKYPE: your password can not contain your e-mail username.
>> my email username contains A SINGLE LETTER,
>> and this letter is "e"!!!
>> i can barely create a password without "e"
>>
>> can anyone ever get stupider than microsoft?
>
> Red Hat managed to match that - the exact same problem occurs on RHEL7
> and Fedora:
>
> https://twitter.com/solardiz/status/792169468575289344
>
> "1-char username, long password. RHEL7 pam_pwquality says "BAD PASSWORD:
> The password contains the user name in some form". I say BAD RHEL7."
>
> (and follow-ups in that tweet thread).
>
> A way to keep this sort of checks sane is to exclude the problematic
> substring(s), such as the username, when testing the remainder of the
> password string against the policy. That's what passwdqc does, and it
> also disregards too-short substrings from this treatment.
>
> passwdqc was included in Red Hat's repositories for older RHEL, but
> unfortunately they dropped it starting with RHEL7.
>
> (Of course, I am biased.)
>
> Alexander
Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.