Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <039956A8-E135-4D4B-BDA3-8921DC2ECD33@me.com>
Date: Fri, 27 Oct 2017 10:02:05 -0400
From: Arnold Reinhold <agr@...com>
To: passwords@...ts.openwall.com
Subject: Re: Real world password policies

Here’s what Harvard requires:

> Your password must contain:
> 
> Not Started!  At least 10 characters and up to 100 characters
>  
> Not Started!  At least 3 of the following: uppercase, lowercase, numeric, or special characters
>  
> 
> It may not include:
> 
>   Your email, part of your name, or part of your address 
>   Number sequences of 4 or more numbers 
>   Character repeated 4 or more times 
>   Dictionary words or common acronyms of 5 or more letters (passwords of more than 20 characters are excluded from this rule) 

Perhaps we need a website of silly password requirements.

Arnold Reinhold

> On Oct 27, 2017, at 8:38 AM, Solar Designer <solar@...nwall.com> wrote:
> 
> On Fri, Oct 27, 2017 at 01:17:41PM +0200, e@...tmx.net wrote:
>> SKYPE: your password can not contain your e-mail username.
>> my email username contains A SINGLE LETTER,
>> and this letter is "e"!!!
>> i can barely create a password without "e"
>> 
>> can anyone ever get stupider than microsoft?
> 
> Red Hat managed to match that - the exact same problem occurs on RHEL7
> and Fedora:
> 
> https://twitter.com/solardiz/status/792169468575289344
> 
> "1-char username, long password. RHEL7 pam_pwquality says "BAD PASSWORD:
> The password contains the user name in some form". I say BAD RHEL7."
> 
> (and follow-ups in that tweet thread).
> 
> A way to keep this sort of checks sane is to exclude the problematic
> substring(s), such as the username, when testing the remainder of the
> password string against the policy.  That's what passwdqc does, and it
> also disregards too-short substrings from this treatment.
> 
> passwdqc was included in Red Hat's repositories for older RHEL, but
> unfortunately they dropped it starting with RHEL7.
> 
> (Of course, I am biased.)
> 
> Alexander


Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.