password policy – Page 3 – WindowsTechs.com

Red Hat Password Security Settings(/etc/pam.d/system-auth, /etc/login.defs)

Posted on January 17, 2022 by hongjun.choi

I’m doing Red Hat (RHEL 6.5) security settings.
If I set up the two files as shown below, is there no security effect on each other?

/etc/pam.d/system-auth

password requisite pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit… Continue reading Red Hat Password Security Settings(/etc/pam.d/system-auth, /etc/login.defs)→

Is it necessary for security to have undisclosed password requirements? [closed]

Posted on January 3, 2022 by Martian2020

At Bugzilla, I typed a new password that met the requirements stated on the account creation page. But I received:

The password does not meet our security requirements for the
following reason: not enough different characters or classes

For the sake of reproducible example, password attempt can be: “Qazxswedc123” – I got same message for that one too.

Web search found Does bugzilla.mozilla.org’s “new” password requirements make sense for that type of account/service? however those question was different.

https://wiki.mozilla.org/BMO/UserGuide/Passwords

must be at least 12 characters in length
must not contain parts of your email address, or your real name
must be complex, which means:
    must be a passphrase of at least four words
    OR
    must contain a mixture of letters and symbols, containing characters from 3 out of the following 4 character classes:
    lowercase letters, uppercase letters, numbers, and other symbols

P.S. they could have at least pretended to have a valid reason, “must not contain parts of your email address” may mean any letter from the address.

I’m trying to contact Mozilla via other means, maybe they accept it as a bug.

Continue reading Is it necessary for security to have undisclosed password requirements? [closed]→

How can I, as an enduser, put pressure on corporations and discourage password strength theater? [duplicate]

Posted on December 1, 2021 by Artimithe55

For work and other official matters, I am often forced to use websites and apps which clearly have some kind of cargo cult going on in their security department, given that they impose extremely foolish requirements on passwords:

Characte… Continue reading How can I, as an enduser, put pressure on corporations and discourage password strength theater? [duplicate]→

Is character restriction ever a safe mechanism against code injection / better than input sanitisation?

Posted on November 20, 2021 by Wrzlprmft

Many services still restrict the special characters allowed in passwords and similar with the argument that it prevents injection attacks. Now, there are many good arguments against this such as avoiding unnecessary obstructions, character… Continue reading Is character restriction ever a safe mechanism against code injection / better than input sanitisation?→

Is client-side bcrypt sent over tls + server-side sha hmac secure for password storage?

Posted on November 15, 2021 by user16551018

I want to hash passwords for security, but strong bcrypt by nature eat up a bit of resources of the server. So I was thinking to do the encryption on the client side. This would prevent the password from being known in the case the off cha… Continue reading Is client-side bcrypt sent over tls + server-side sha hmac secure for password storage?→

How to use scrypt or Argon for Openldap version < 2.4.5

Posted on September 16, 2021 by fishermansoccer

I know that support for Argon2 was released with OpenLdap 2.4.5 according to this link https://bugs.openldap.org/show_bug.cgi?id=8575, but what if I want to use it with a previous version like 2.4.4 is there a way of doing this? Also if ar… Continue reading How to use scrypt or Argon for Openldap version < 2.4.5→

strength of 64 character long password with containing only Hexadecimal digits (xdigit)

Posted on September 6, 2021 by The Fool

I wrote a small shell function to generate random passwords. Such a password may look like the below.
D2fdAbE5e9bcAFDBE5bEeED3b795ecf44B35e99B6D28591429fEE6B7C0BcCed1

I started to wonder if this is actually secure enough. Are there potent… Continue reading strength of 64 character long password with containing only Hexadecimal digits (xdigit)→

Why do the most sensitive sites have the worst user authentication mechanisms (e.g., password policies)? [duplicate]

Posted on August 21, 2021 by nisc

It appears to me that the most sensitive websites I use (e.g., banking, credit rating cos, government, travel, …) have the worst authentication implementations.
Things I’ve seen:

Unnecessarily restrictive password rules (e.g., less than… Continue reading Why do the most sensitive sites have the worst user authentication mechanisms (e.g., password policies)? [duplicate]→

Password list where a password policy was used

Posted on August 20, 2021 by AleksanderRas

I found a list of common passwords (i.e. "123456", "password", etc.) online.
Is there a public / open-source set of common passwords where a password policy was in use?
Example of a commonly implemented password policy:… Continue reading Password list where a password policy was used→

What are the security implications of the password policy for this bank? [duplicate]

Posted on July 21, 2021 by I Stand With Israel

I am aware of a bank (redacted for obvious reasons) that has the following password policy.

Only English alphanumeric characters
Min of 8, max of 14 characters
No special characters (ex. !@#$%^&* are all forbidden)
Passwords must be c… Continue reading What are the security implications of the password policy for this bank? [duplicate]→