Bug 1265066 - change password check from complexity to entropy
change password check from complexity to entropy
Status: NEW
Product: Bugzilla
Classification: Community
Component: User Interface (Show other bugs)
Unspecified Unspecified
high Severity medium (vote)
: ---
: ---
Assigned To: PnT DevOps Devs
: 1265331 1267147 1311936 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2015-09-22 01:01 EDT by Marco Grigull
Modified: 2016-10-11 07:03 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Marco Grigull 2015-09-22 01:01:39 EDT
Description of problem:
At present only one password policy is enforced.  The current implementation may upset some users that had previously been using password of significant entropy.

Version-Release number of selected component (if applicable):
version 4.4.9039-5

How reproducible:

Steps to Reproduce:

Actual results:

only the following can be set:
'password_check_on_login' => '1',
'password_complexity' => 'letters_numbers_specialchars',

Expected results:

Ideally more than one class could be set:
'password_check_on_login' => '1',
'password_class1_complexity' => 'letters_numbers_specialchars',
'password_class1_minlength' => '8',
'password_class2_complexity' => 'letters',
'password_class2_minlength' => '20',
'password_active_policies' => 'class1, class2',

Additional info:
allow users to match either class

Alternatively, pass the password entropy enforcement onto an external authentication mechanism.
Comment 1 Jason McDonald 2015-09-24 23:54:32 EDT
A small, but vocal, number of users who previous used long passphrases have provided similar feedback.

Implementing this suggestion should be fairly easy.  The outstanding question is "what is an acceptable minimum length for a passphrase?"  I'll defer to our security experts to make a decision on that question.
Comment 2 Jason McDonald 2015-09-25 00:06:28 EDT
*** Bug 1265331 has been marked as a duplicate of this bug. ***
Comment 3 Jason McDonald 2015-09-29 03:46:01 EDT
*** Bug 1267147 has been marked as a duplicate of this bug. ***
Comment 4 Jeff Fearn 2015-10-25 23:12:45 EDT
We shouldn't have multiple password rules, it's complex, of little benefit, and unlikely to be accepted upstream. Instead we should switch from complexity to entropy and allow the admin to set the minimum entropy required.

We need to make sure the entropy calculator is accurate.
Comment 5 Jeff Fearn 2016-02-29 00:53:45 EST
*** Bug 1311936 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.