[Kolab-devel] [issue3025] Security check for Passwords

Albrecht Dreß kolab-issues at intevation.de
Wed Sep 3 09:03:25 CEST 2008


New submission from Albrecht Dreß <albrecht.dress at lios-tech.com>:

Currently, there is no check performed in the Kolab admin Web UI if the
passwords entered by the administrator or the user fulfil basic strength
requirements.  This is a security risk (thus a bug) and violates the
requirements set by the German Bundesamt für Sicherheit in der
Informationstechnik (BSI, <http://www.bsi.bund.de>).  The relevant standard
seems to be available in German only:
<http://www.bsi.bund.de/gshb/deutsch/m/m02011.htm>; there is also a HUGE pdf
containing everything in English.  I believe you will find similar requirements
elsewhere, though.

In issue <https://www.intevation.de/roundup/kolab/issue2997>, I presented a
method (including a tiny C source code) to check passwords using the standard
"cracklib" library.  I suggest to make this check mandatory by default, and give
administrators the option to switch it off if it's really not needed.

As an alternative, the method used by Horde might be used, but it has the
drawback that it doesn't check for dictionary words like Cracklib (which should
therefore be the preferred method).

----------
messages: 16470
nosy: albrecht.dress, rbos
priority: bug
status: unread
title: Security check for Passwords
___________________________________________________
Kolab issue tracker <kolab-issues at intevation.de>
<https://www.intevation.de/roundup/kolab/issue3025>
___________________________________________________




More information about the devel mailing list