Password complexity rules
Rod MacPherson
rod at macphersonclan.com
Fri Oct 14 13:34:33 UTC 2011
Hi, I just read about the new fedora project password change, and the thing that caught my attention is your interesting password complexity rules. 9 char if using upper, lower, numbers and special chars, 20 chars otherwise.
I have never seen this type of complexity rule in action before, so the first thing that sprung to my mind is "what PAM plugins are they using to accomplish this, and where can I get that?"
I'm sure other security professionals would love to try this, but the standard modules in most Linux distros only allow very simple min length, min complexity settings, not an if complexity >= this, min_length == min1, else min_length == min2
I'd like to do a write-up about this for infosecisland.com which can include an interview with someone at fedoraproject if you like, but doesn't have to.
Rod MacPherson, CISSP, CISA, C|EH
rod at macphersonclan.com
www.infosecisland.com
More information about the websites
mailing list