Description of problem: At present only one password policy is enforced. The current implementation may upset some users that had previously been using password of significant entropy. Version-Release number of selected component (if applicable): version 4.4.9039-5 How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: only the following can be set: 'password_check_on_login' => '1', 'password_complexity' => 'letters_numbers_specialchars', Expected results: Ideally more than one class could be set: 'password_check_on_login' => '1', 'password_class1_complexity' => 'letters_numbers_specialchars', 'password_class1_minlength' => '8', 'password_class2_complexity' => 'letters', 'password_class2_minlength' => '20', 'password_active_policies' => 'class1, class2', Additional info: allow users to match either class Alternatively, pass the password entropy enforcement onto an external authentication mechanism.
A small, but vocal, number of users who previous used long passphrases have provided similar feedback. Implementing this suggestion should be fairly easy. The outstanding question is "what is an acceptable minimum length for a passphrase?" I'll defer to our security experts to make a decision on that question.
*** Bug 1265331 has been marked as a duplicate of this bug. ***
*** Bug 1267147 has been marked as a duplicate of this bug. ***
We shouldn't have multiple password rules, it's complex, of little benefit, and unlikely to be accepted upstream. Instead we should switch from complexity to entropy and allow the admin to set the minimum entropy required. We need to make sure the entropy calculator is accurate.
*** Bug 1311936 has been marked as a duplicate of this bug. ***
http://search.cpan.org/~zero/Data-Password-Entropy-0.08/lib/Data/Password/Entropy.pm
I agree with this complaint. The password policy almost made quit in rage and not submit a crash report after already spending about half an hour preparing it. I usually use passwords >20 chars with easily memorised features but no special characters. This policy forces me to choose a password I can't remember on my own.
Example of the bits of entropy for some made up passwords $ perl -E ' > use Data::Password::Entropy; > > my @passwords = qw{ > hell0p@nts > ThisIsABigPhraseMaybeTooBig! > *(&^75*^%$&43HGKFursdkuhvkuyf985) > lem0N7ea! > Ha20&09_X!t > }; > > foreach my $pass (@passwords){ > say "testing $pass"; > say "entropy bits: " . password_entropy($pass); > say; > } > ' testing hell0p@nts entropy bits: 54 testing ThisIsABigPhraseMaybeTooBig! entropy bits: 117 testing *(&^75*^%$&43HGKFursdkuhvkuyf985) entropy bits: 154 testing lem0N7ea! entropy bits: 53 testing Ha20&09_X!t entropy bits: 65
Bug 2072826 is for disabling passwords for some users and forcing them to use 2FA. If there are other classes of users who require this kind of protection we will move them to 2FA as well.
:-( Jeff, this is not about having multiple password rules, but about a different way of measuring the quality of a password. Of course it means changing the code, but for the benefit for all users, using either passwords like "yoo$g9To" or "rotcepsnisnoitpognittesmetsys".
(In reply to hdunkel from comment #11) > :-( > > Jeff, this is not about having multiple password rules, but about a > different way of measuring the quality of a password. Of course it means > changing the code, but for the benefit for all users, using either passwords > like "yoo$g9To" or "rotcepsnisnoitpognittesmetsys". IIRC when we talked about this internally, some time ago, we were debating the limit we'd use and where basically in the 64-96 range. The first one isn't close to that range, and the second would only make it if we went to the smaller end. The real problem is that just doing entropy isn't good enough, you also need to use dictionaries, and other such things and there isn't a good thing we can just plug-in, so we'd have to do a lot of work to make it secure. With 2FA on the scene there isn't nearly as much ROI so it's unlikely we'd expend a great effort to impliment it.
Actually this looks reasonable, I think it will do. We'd probably set the strength required to 4. We could also use the JavaScript version in the UI so people would be alerted before submitting a new password. perl -E ' use Data::Password::zxcvbn qw(password_strength); use Data::Dumper; my @passwords = qw{ hell0p@nts ThisIsABigPhraseMaybeTooBig! *(&^75*^%$&43HGKFursdkuhvkuyf985) lem0N7ea! Ha20&09_X!t yoo$g9To rotcepsnisnoitpognittesmetsys }; foreach my $pass (@passwords){ say "testing $pass"; my $strength = password_strength($pass); say "strength: " . password_strength($pass)->{score}; #say Dumper($strength); say; } ' testing hell0p@nts strength: 1 testing ThisIsABigPhraseMaybeTooBig! strength: 4 testing *(&^75*^%$&43HGKFursdkuhvkuyf985) strength: 4 testing lem0N7ea! strength: 3 testing Ha20&09_X!t strength: 4 testing yoo$g9To strength: 2 testing rotcepsnisnoitpognittesmetsys strength: 4
On QA instance: login using an account that is permitted to change it's password: Test a bunch of passwords in the UI: Rating is dynamically updated as you type with the zxcvbn rating and some suggestions. e.g. zxcvbn: Very weak: This is a frequently used password. ThisIsABigPhraseMaybeTooBig!: Strong lem0N7ea!: Good Attempt to submit a password with strength lower than Strong: Password is rejected. Attempt to submit a password with strength of Strong: Password is accepted.
This fix has been deployed to stage Bugzilla for a short public testing phase. https://bugzilla.stage.redhat.com
This change is now live. If there are any issues, do not reopen this bug. Instead, you should create a new bug and reference this bug.