[sork] password string length

Eric Rostetter eric.rostetter@physics.utexas.edu
Sun, 7 Jul 2002 07:17:31 -0500


Quoting Erik Slooff <erik@slooff.com>:

> Hi,
> 
> I was wondering if it's a good idea to have 2 variables defined per server in
> passwd/config/conf.php for password length control. Eg. min_password_length
> and max_password_length added to the $conf['server']['......'] arrays.

Ah jeez... What a can of worms...  

My first reaction is to say no;  this should be a site policy, not a machine
policy.  Of course, this may fall down in the case of ISP services and what
have you that have different realms for different sites...

It is indeed possible to do this realm by realm.  But should we?  It would
make things even more difficult to configure and document, for little gain.

> I got a 500 error from poppassd in horde and I also saw some syslog errors
> from 
> PAM which at first I couldn't understand. It appeared that in /etc/login.defs
> max password length was set to 8 chars and the new password string I had 
> entered was longer.

Yes, poppassd return messages are not always useful...

> To prevent this you could show a message in the password change screen that 
> shows what the min and max length should be (and maybe even adjust the field
> length in the form?).

Sounds reasonable to try this.  At least adjusting the input field width
(which I think someone else mentioned before).  I'll look into this.

> Just my 2 cts,
> 
> Bye
> 
> Erik

--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

"TAD (Technology Attachment Disorder) is an unshakable, impractical devotion
to a brand, platform, product line, or programming language. It's relatively
harmless among the rank and file, but when management is afflicted the damage
can be measured in dollars. It's also contagious -- someone with sufficient
political clout can infect an entire organization."

--"Enterprise Strategies" columnist Tom Yager.