Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALnMstV5+RV-Xdv20_3ANi3nPB5K2P5Vu9nBCJVJ5defA_T=aA@mail.gmail.com>
Date: Fri, 27 Oct 2017 17:24:51 +0300
From: Anton Dedov <adedov@...il.com>
To: passwords@...ts.openwall.com
Subject: Re: Real world password policies

https://twitter.com/PWTooStrong

27 окт. 2017 г. 17:02 пользователь "Arnold Reinhold" <agr@...com> написал:

> Here’s what Harvard requires:
>
> Your password must contain:
>
> Not Started!
> At least 10 characters and up to 100 characters
>
> Not Started!
> At least 3 of the following: uppercase, lowercase, numeric, or special
> characters
>
>
> It may not include:
>
>
> Your email, part of your name, or part of your address
>
>
> Number sequences of 4 or more numbers
>
>
> Character repeated 4 or more times
>
>
> Dictionary words or common acronyms of 5 or more letters (passwords of
> more than 20 characters are excluded from this rule)
>
>
> Perhaps we need a website of silly password requirements.
>
> Arnold Reinhold
>
> On Oct 27, 2017, at 8:38 AM, Solar Designer <solar@...nwall.com> wrote:
>
> On Fri, Oct 27, 2017 at 01:17:41PM +0200, e@...tmx.net wrote:
>
> SKYPE: your password can not contain your e-mail username.
> my email username contains A SINGLE LETTER,
> and this letter is "e"!!!
> i can barely create a password without "e"
>
> can anyone ever get stupider than microsoft?
>
>
> Red Hat managed to match that - the exact same problem occurs on RHEL7
> and Fedora:
>
> https://twitter.com/solardiz/status/792169468575289344
>
> "1-char username, long password. RHEL7 pam_pwquality says "BAD PASSWORD:
> The password contains the user name in some form". I say BAD RHEL7."
>
> (and follow-ups in that tweet thread).
>
> A way to keep this sort of checks sane is to exclude the problematic
> substring(s), such as the username, when testing the remainder of the
> password string against the policy.  That's what passwdqc does, and it
> also disregards too-short substrings from this treatment.
>
> passwdqc was included in Red Hat's repositories for older RHEL, but
> unfortunately they dropped it starting with RHEL7.
>
> (Of course, I am biased.)
>
> Alexander
>
>
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.