Re: Password complexity

[Aaron Peeler <aa...@ncsu.edu>]

Charles,

This is a good request and can easily be done. Can you create a jira
issue for this? I'll fix it for the next release.
https://issues.apache.org/jira/browse/VCL

There is a routine in utils.pm (getpw) that is set to default to 6 if
no length is provided.

Thanks,
Aaron

On Sun, Nov 9, 2014 at 12:03 AM, Charles Roger SIMEU <cr...@yahoo.fr> wrote:
> Hello,
>
> In image capture that i have tested, password have only 6 caracters long. can the code be modified in the next release to increase it to 8 caracters and olso satisfy other password requiement complexity (to include numbers and specials caracters).
>
> Regars
>
> Charles Roger Simeu
>
> Montréal (Québec)
>
>



-- 
Aaron Peeler
Program Manager
Virtual Computing Lab
NC State University

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.

Re: Password complexity

[Aaron Peeler <aa...@ncsu.edu>]

Thanks Charles.

Aaron

On Thu, Nov 13, 2014 at 6:07 AM, Charles Roger SIMEU <cr...@yahoo.fr> wrote:
> Aaron,
>
> I haved created an issue in jira as you haved asked.
>
> Thanks,
> Charles Roger Simeu
>
> ________________________________
> De : Aaron Peeler <aa...@ncsu.edu>
> À : "user@vcl.apache.org" <us...@vcl.apache.org>; "dev@vcl.apache.org"
> <de...@vcl.apache.org>
> Envoyé le : Lundi 10 novembre 2014 10h02
> Objet : Re: Password complexity
>
> Charles,
>
> This is a good request and can easily be done. Can you create a jira
> issue for this? I'll fix it for the next release.
> https://issues.apache.org/jira/browse/VCL
>
> There is a routine in utils.pm (getpw) that is set to default to 6 if
> no length is provided.
>
> Thanks,
> Aaron
>
>
>
> On Sun, Nov 9, 2014 at 12:03 AM, Charles Roger SIMEU <cr...@yahoo.fr>
> wrote:
>> Hello,
>>
>> In image capture that i have tested, password have only 6 caracters long.
>> can the code be modified in the next release to increase it to 8 caracters
>> and olso satisfy other password requiement complexity (to include numbers
>> and specials caracters).
>>
>> Regars
>>
>> Charles Roger Simeu
>>
>> Montréal (Québec)
>
>>
>>
>
>
>
> --
> Aaron Peeler
> Program Manager
> Virtual Computing Lab
> NC State University
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.
>



-- 
Aaron Peeler
Program Manager
Virtual Computing Lab
NC State University

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.

Re: Password complexity

[Charles Roger SIMEU <cr...@yahoo.fr>]

Aaron,
I haved created an issue in jira as you haved asked.
Thanks,Charles Roger Simeu 
       De : Aaron Peeler <aa...@ncsu.edu>
 À : "user@vcl.apache.org" <us...@vcl.apache.org>; "dev@vcl.apache.org" <de...@vcl.apache.org> 
 Envoyé le : Lundi 10 novembre 2014 10h02
 Objet : Re: Password complexity
   
Charles,

This is a good request and can easily be done. Can you create a jira
issue for this? I'll fix it for the next release.
https://issues.apache.org/jira/browse/VCL

There is a routine in utils.pm (getpw) that is set to default to 6 if
no length is provided.

Thanks,
Aaron



On Sun, Nov 9, 2014 at 12:03 AM, Charles Roger SIMEU <cr...@yahoo.fr> wrote:
> Hello,
>
> In image capture that i have tested, password have only 6 caracters long. can the code be modified in the next release to increase it to 8 caracters and olso satisfy other password requiement complexity (to include numbers and specials caracters).
>
> Regars
>
> Charles Roger Simeu
>
> Montréal (Québec)
>
>



-- 
Aaron Peeler
Program Manager
Virtual Computing Lab
NC State University

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.

  

Re: Password complexity

[Aaron Peeler <aa...@ncsu.edu>]

In general yes, but I also think there is a limit of what the end-user
will want to enter, I know I wouldn't want to enter a different 12
char password string for each reservation I made.

Keep in mind that in normal VCL use the end-user sessions are both
time limited and firewall restricted.

One option is to add a variable option that is read from the variable
table, sites can then set their own length. If the variable it not
set, then default to 8 or just leave it at 6 char. A new feature in
2.4 is to allow sites/affiliations to have control on some settings
such as timeouts, inuse checks, etc

Note the root and administrator accounts are randomized 15 char
strings at load time.

Aaron

On Mon, Nov 10, 2014 at 12:08 PM, Mark Gardner <mk...@vt.edu> wrote:
> I have seen suggestions that passwords below a length of 12 should be
> considered vulnerable. Should we increase the length of passwords further?
>
> Mark
>
> On Mon, Nov 10, 2014 at 10:02 AM, Aaron Peeler <aa...@ncsu.edu>
> wrote:
>>
>> Charles,
>>
>> This is a good request and can easily be done. Can you create a jira
>> issue for this? I'll fix it for the next release.
>> https://issues.apache.org/jira/browse/VCL
>>
>> There is a routine in utils.pm (getpw) that is set to default to 6 if
>> no length is provided.
>>
>> Thanks,
>> Aaron
>>
>> On Sun, Nov 9, 2014 at 12:03 AM, Charles Roger SIMEU <cr...@yahoo.fr>
>> wrote:
>> > Hello,
>> >
>> > In image capture that i have tested, password have only 6 caracters
>> > long. can the code be modified in the next release to increase it to 8
>> > caracters and olso satisfy other password requiement complexity (to include
>> > numbers and specials caracters).
>> >
>> > Regars
>> >
>> > Charles Roger Simeu
>> >
>> > Montréal (Québec)
>> >
>> >
>>
>>
>>
>> --
>> Aaron Peeler
>> Program Manager
>> Virtual Computing Lab
>> NC State University
>>
>> All electronic mail messages in connection with State business which
>> are sent to or received by this account are subject to the NC Public
>> Records Law and may be disclosed to third parties.
>
>
>
>
> --
> Mark Gardner
> --



-- 
Aaron Peeler
Program Manager
Virtual Computing Lab
NC State University

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.

Re: Password complexity

[Aaron Peeler <aa...@ncsu.edu>]

In general yes, but I also think there is a limit of what the end-user
will want to enter, I know I wouldn't want to enter a different 12
char password string for each reservation I made.

Keep in mind that in normal VCL use the end-user sessions are both
time limited and firewall restricted.

One option is to add a variable option that is read from the variable
table, sites can then set their own length. If the variable it not
set, then default to 8 or just leave it at 6 char. A new feature in
2.4 is to allow sites/affiliations to have control on some settings
such as timeouts, inuse checks, etc

Note the root and administrator accounts are randomized 15 char
strings at load time.

Aaron

On Mon, Nov 10, 2014 at 12:08 PM, Mark Gardner <mk...@vt.edu> wrote:
> I have seen suggestions that passwords below a length of 12 should be
> considered vulnerable. Should we increase the length of passwords further?
>
> Mark
>
> On Mon, Nov 10, 2014 at 10:02 AM, Aaron Peeler <aa...@ncsu.edu>
> wrote:
>>
>> Charles,
>>
>> This is a good request and can easily be done. Can you create a jira
>> issue for this? I'll fix it for the next release.
>> https://issues.apache.org/jira/browse/VCL
>>
>> There is a routine in utils.pm (getpw) that is set to default to 6 if
>> no length is provided.
>>
>> Thanks,
>> Aaron
>>
>> On Sun, Nov 9, 2014 at 12:03 AM, Charles Roger SIMEU <cr...@yahoo.fr>
>> wrote:
>> > Hello,
>> >
>> > In image capture that i have tested, password have only 6 caracters
>> > long. can the code be modified in the next release to increase it to 8
>> > caracters and olso satisfy other password requiement complexity (to include
>> > numbers and specials caracters).
>> >
>> > Regars
>> >
>> > Charles Roger Simeu
>> >
>> > Montréal (Québec)
>> >
>> >
>>
>>
>>
>> --
>> Aaron Peeler
>> Program Manager
>> Virtual Computing Lab
>> NC State University
>>
>> All electronic mail messages in connection with State business which
>> are sent to or received by this account are subject to the NC Public
>> Records Law and may be disclosed to third parties.
>
>
>
>
> --
> Mark Gardner
> --



-- 
Aaron Peeler
Program Manager
Virtual Computing Lab
NC State University

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.

Re: Password complexity

[Mark Gardner <mk...@vt.edu>]

I have seen suggestions that passwords below a length of 12 should be
considered vulnerable. Should we increase the length of passwords further?

Mark

On Mon, Nov 10, 2014 at 10:02 AM, Aaron Peeler <aa...@ncsu.edu>
wrote:

> Charles,
>
> This is a good request and can easily be done. Can you create a jira
> issue for this? I'll fix it for the next release.
> https://issues.apache.org/jira/browse/VCL
>
> There is a routine in utils.pm (getpw) that is set to default to 6 if
> no length is provided.
>
> Thanks,
> Aaron
>
> On Sun, Nov 9, 2014 at 12:03 AM, Charles Roger SIMEU <cr...@yahoo.fr>
> wrote:
> > Hello,
> >
> > In image capture that i have tested, password have only 6 caracters
> long. can the code be modified in the next release to increase it to 8
> caracters and olso satisfy other password requiement complexity (to include
> numbers and specials caracters).
> >
> > Regars
> >
> > Charles Roger Simeu
> >
> > Montréal (Québec)
> >
> >
>
>
>
> --
> Aaron Peeler
> Program Manager
> Virtual Computing Lab
> NC State University
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.
>



-- 
Mark Gardner
--

Re: Password complexity

[Aaron Peeler <aa...@ncsu.edu>]

actually it's not that complicated and it can also be modified.

The passwd gets randomized from an array of chars.
The current one is:
my @a = ("A" .. "H", "J" .. "N", "P" .. "Z", "a" .. "k", "m" .. "z",
"2" .. "9");

We can just modify it to exclude other chars.

Let me know which ones need to be removed.

 0,1, l(lc L), I(uc i) are already excluded.

We can pull out O, Z, 2. Any others?

Aaron




On Mon, Nov 10, 2014 at 10:15 AM, Henry Schaffer <he...@ncsu.edu> wrote:
> I'd like to make this a bit more complicated - it would be helpful to
> avoid including characters which are easily confused, e.g. l and 1, 0
> and O, perhaps even 2 and Z, and , and . This is more important in our
> context than with usual passwords because this password must be copied
> from seeing it to entering it.
>
> --henry schaffer
>
> On Mon, Nov 10, 2014 at 10:02 AM, Aaron Peeler <aa...@ncsu.edu> wrote:
>> Charles,
>>
>> This is a good request and can easily be done. Can you create a jira
>> issue for this? I'll fix it for the next release.
>> https://issues.apache.org/jira/browse/VCL
>>
>> There is a routine in utils.pm (getpw) that is set to default to 6 if
>> no length is provided.
>>
>> Thanks,
>> Aaron
>>
>> On Sun, Nov 9, 2014 at 12:03 AM, Charles Roger SIMEU <cr...@yahoo.fr> wrote:
>>> Hello,
>>>
>>> In image capture that i have tested, password have only 6 caracters long. can the code be modified in the next release to increase it to 8 caracters and olso satisfy other password requiement complexity (to include numbers and specials caracters).
>>>
>>> Regars
>>>
>>> Charles Roger Simeu
>>>
>>> Montréal (Québec)
>>>
>>>
>>
>>
>>
>> --
>> Aaron Peeler
>> Program Manager
>> Virtual Computing Lab
>> NC State University
>>
>> All electronic mail messages in connection with State business which
>> are sent to or received by this account are subject to the NC Public
>> Records Law and may be disclosed to third parties.



-- 
Aaron Peeler
Program Manager
Virtual Computing Lab
NC State University

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.

Re: Password complexity

[Aaron Peeler <aa...@ncsu.edu>]

actually it's not that complicated and it can also be modified.

The passwd gets randomized from an array of chars.
The current one is:
my @a = ("A" .. "H", "J" .. "N", "P" .. "Z", "a" .. "k", "m" .. "z",
"2" .. "9");

We can just modify it to exclude other chars.

Let me know which ones need to be removed.

 0,1, l(lc L), I(uc i) are already excluded.

We can pull out O, Z, 2. Any others?

Aaron




On Mon, Nov 10, 2014 at 10:15 AM, Henry Schaffer <he...@ncsu.edu> wrote:
> I'd like to make this a bit more complicated - it would be helpful to
> avoid including characters which are easily confused, e.g. l and 1, 0
> and O, perhaps even 2 and Z, and , and . This is more important in our
> context than with usual passwords because this password must be copied
> from seeing it to entering it.
>
> --henry schaffer
>
> On Mon, Nov 10, 2014 at 10:02 AM, Aaron Peeler <aa...@ncsu.edu> wrote:
>> Charles,
>>
>> This is a good request and can easily be done. Can you create a jira
>> issue for this? I'll fix it for the next release.
>> https://issues.apache.org/jira/browse/VCL
>>
>> There is a routine in utils.pm (getpw) that is set to default to 6 if
>> no length is provided.
>>
>> Thanks,
>> Aaron
>>
>> On Sun, Nov 9, 2014 at 12:03 AM, Charles Roger SIMEU <cr...@yahoo.fr> wrote:
>>> Hello,
>>>
>>> In image capture that i have tested, password have only 6 caracters long. can the code be modified in the next release to increase it to 8 caracters and olso satisfy other password requiement complexity (to include numbers and specials caracters).
>>>
>>> Regars
>>>
>>> Charles Roger Simeu
>>>
>>> Montréal (Québec)
>>>
>>>
>>
>>
>>
>> --
>> Aaron Peeler
>> Program Manager
>> Virtual Computing Lab
>> NC State University
>>
>> All electronic mail messages in connection with State business which
>> are sent to or received by this account are subject to the NC Public
>> Records Law and may be disclosed to third parties.



-- 
Aaron Peeler
Program Manager
Virtual Computing Lab
NC State University

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.

Re: Password complexity

[Henry Schaffer <he...@ncsu.edu>]

I'd like to make this a bit more complicated - it would be helpful to
avoid including characters which are easily confused, e.g. l and 1, 0
and O, perhaps even 2 and Z, and , and . This is more important in our
context than with usual passwords because this password must be copied
from seeing it to entering it.

--henry schaffer

On Mon, Nov 10, 2014 at 10:02 AM, Aaron Peeler <aa...@ncsu.edu> wrote:
> Charles,
>
> This is a good request and can easily be done. Can you create a jira
> issue for this? I'll fix it for the next release.
> https://issues.apache.org/jira/browse/VCL
>
> There is a routine in utils.pm (getpw) that is set to default to 6 if
> no length is provided.
>
> Thanks,
> Aaron
>
> On Sun, Nov 9, 2014 at 12:03 AM, Charles Roger SIMEU <cr...@yahoo.fr> wrote:
>> Hello,
>>
>> In image capture that i have tested, password have only 6 caracters long. can the code be modified in the next release to increase it to 8 caracters and olso satisfy other password requiement complexity (to include numbers and specials caracters).
>>
>> Regars
>>
>> Charles Roger Simeu
>>
>> Montréal (Québec)
>>
>>
>
>
>
> --
> Aaron Peeler
> Program Manager
> Virtual Computing Lab
> NC State University
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.

Re: Password complexity

[Henry Schaffer <he...@ncsu.edu>]

I'd like to make this a bit more complicated - it would be helpful to
avoid including characters which are easily confused, e.g. l and 1, 0
and O, perhaps even 2 and Z, and , and . This is more important in our
context than with usual passwords because this password must be copied
from seeing it to entering it.

--henry schaffer

On Mon, Nov 10, 2014 at 10:02 AM, Aaron Peeler <aa...@ncsu.edu> wrote:
> Charles,
>
> This is a good request and can easily be done. Can you create a jira
> issue for this? I'll fix it for the next release.
> https://issues.apache.org/jira/browse/VCL
>
> There is a routine in utils.pm (getpw) that is set to default to 6 if
> no length is provided.
>
> Thanks,
> Aaron
>
> On Sun, Nov 9, 2014 at 12:03 AM, Charles Roger SIMEU <cr...@yahoo.fr> wrote:
>> Hello,
>>
>> In image capture that i have tested, password have only 6 caracters long. can the code be modified in the next release to increase it to 8 caracters and olso satisfy other password requiement complexity (to include numbers and specials caracters).
>>
>> Regars
>>
>> Charles Roger Simeu
>>
>> Montréal (Québec)
>>
>>
>
>
>
> --
> Aaron Peeler
> Program Manager
> Virtual Computing Lab
> NC State University
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.

Re: Password complexity

[Mark Gardner <mk...@vt.edu>]

I have seen suggestions that passwords below a length of 12 should be
considered vulnerable. Should we increase the length of passwords further?

Mark

On Mon, Nov 10, 2014 at 10:02 AM, Aaron Peeler <aa...@ncsu.edu>
wrote:

> Charles,
>
> This is a good request and can easily be done. Can you create a jira
> issue for this? I'll fix it for the next release.
> https://issues.apache.org/jira/browse/VCL
>
> There is a routine in utils.pm (getpw) that is set to default to 6 if
> no length is provided.
>
> Thanks,
> Aaron
>
> On Sun, Nov 9, 2014 at 12:03 AM, Charles Roger SIMEU <cr...@yahoo.fr>
> wrote:
> > Hello,
> >
> > In image capture that i have tested, password have only 6 caracters
> long. can the code be modified in the next release to increase it to 8
> caracters and olso satisfy other password requiement complexity (to include
> numbers and specials caracters).
> >
> > Regars
> >
> > Charles Roger Simeu
> >
> > Montréal (Québec)
> >
> >
>
>
>
> --
> Aaron Peeler
> Program Manager
> Virtual Computing Lab
> NC State University
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.
>



-- 
Mark Gardner
--