[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt

To: simo <idra@samba.org>
Subject: Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
From: Howard Chu <hyc@highlandsun.com>
Date: Mon, 31 Mar 2008 17:23:59 -0700
Cc: x500standard@freelists.org, LDAP Extensions list <ldapext@ietf.org>, Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
Delivered-to: ldapext@core3.amsl.com
In-reply-to: <1207008231.24112.45.camel@localhost.localdomain>
References: <20080331174501.8F71328C198@core3.amsl.com> <3D27B3E2-C6EA-42AD-BE13-4FD46221E2CA@Isode.com> <1206997641.24112.10.camel@localhost.localdomain> <5C148842-FAD8-4535-BD19-383065C87781@Isode.com> <1207008231.24112.45.camel@localhost.localdomain>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b5pre) Gecko/2008030700 SeaMonkey/2.0a1pre

simo wrote:
>>> 4)
>>>
>>> The number of constraints seem quite limited, are you open to
>>> suggestion
>>> for more constraint types that are currently commonly used in various
>>> server implementations ?
>> Yes.
>
> Thanks,
> there are some encoding (utf-8) dependent constraints that are widely
> used like:
>
> - minimum length in characters
> - maximum number of repetitions of the same character in a password
> - minimum number of alphabetic characters
> - minimum number of lower case characters
> - minimum number of upper case characters
> - minimum number of digits
> - minimum number of special characters (usually ASCII characters that
> represent symbols, but may be extended to other symbols in the UTF-8
> space)
> - minimum number of ASCII characters (as opposed to other utf-8
> characters)
> - complexity checks, like the checks performed by the cracklib library
> to make sure the user name (or other user data) is not used as part of
> the password itself, or the password is not too similar to a dictionary
> word (locale dependent sometimes).

I recall when draft-behera was being discussed that folks wanted more 
constraints, but nobody suggested what those might be. This is a pretty good 
list. As for complexity checks, that may still be more difficult to 
standardize. In OpenLDAP we punt that to a user-written checking module.

I don't really see a good way to fully spec this here, unless you want to 
define an attribute to carry ABNF rules that a password must conform to. Or, 
we could define a list of "dictionaries" that must be checked, where a 
"dictionary" is a specified version number of a well-known word list, library 
(like cracklib) or other external mechanism.

> There is also often a kind of meta-constraint:
> - minimum number of constraints that must pass their criteria
>
> This allows a greater number X of constraints but accept the password
> even if only Y<  X of them is fulfilled. An example configuration is to
> enable all constraints but require that only say 4 of them must be met
> at the same time to consider the password strong enough.
>
>
> Simo.
>


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
  - From: simo <idra@samba.org>

References:
- Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
  - From: simo <idra@samba.org>

Prev by Date: Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
Next by Date: Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
Index(es):
- Chronological
- Thread