[rt-users] p*a*s*s*w*o*r*d quality enforcement?

Václav Ovsík vaclav.ovsik at i.cz
Wed Jul 22 09:23:11 EDT 2015


On Fri, Jul 17, 2015 at 09:05:49AM -0500, Matt Zagrabelny wrote:
> On Fri, Jul 17, 2015 at 6:55 AM, Václav Ovsík <vaclav.ovsik at i.cz> wrote:
> > Hi,
> > is there any way to set password quality enforcement better then its
> > minimal length ($MinimumPasswordLength)?
> 
> There is a BeforeUpdate callback in
> share/html/Admin/Users/Modify.html. Without looking deeper at the code
> I don't know if that will also catch "new" user creation.
> 
> You'd have to write a little bit of code and put it in the callback
> and fail accordingly if the password didn't meet your requirements.

Uhm. Seems to me better to include this into RT::User::ValidatePassword
I tried this right now and seems to be OK (RT version 4.2.11).
I did a copy of lib/RT/User.pm into local/lib/RT/User.pm and patch it:

commit 96c1079c7efcda70cb0467e5a331c29b6a4a5305
Author: Vaclav Ovsik <vaclav.ovsik at i.cz>
Date:   Wed Jul 22 14:26:35 2015 +0200

    hack ValidatePassword 2/2: cracklib test

diff --git a/local/lib/RT/User.pm b/local/lib/RT/User.pm
index e65478d..627ce75 100644
--- a/local/lib/RT/User.pm
+++ b/local/lib/RT/User.pm
@@ -304,6 +304,11 @@ sub ValidatePassword {
         return ( 0, $self->loc("Password needs to be at least [quant,_1,character,characters] long", RT->Config->Get('MinimumPasswordLength')) );
     }
 
+    require Crypt::Cracklib;
+    if ( ! Crypt::Cracklib::check($password) ) {
+        return ( 0, $self->loc("Password is too weak (cracklib test)") );
+    }
+
     return 1;
 }
 
This is very simple (requires perl CPAN module Crypt::Cracklib). Can it
be a feature request? :)

> > I mean something like
> >  http://sourceforge.net/projects/cracklib
> >  http://www.openwall.com/passwdqc/
> > or so.
> >
> > Tried Anyone John The Ripper successfully with RT password hashes?
> 
> We use an SSO in front of RT - so no need to have local hashes.

We have RT user database standalone.

The above test using Cracklib is not ideal solution as I'm now running
John The Ripper and many people uses modified user-names as passwords.
I'm Using J.T.R for generating the password lists and than test each one
by one for every enabled user with RT::User->IsPassword().
It is very slow for bcrypt hashes.
Cheers

-- 
Zito



More information about the rt-users mailing list