P*a*s*s*w*o*r*d quality enforcement?

Hi,
is there any way to set password quality enforcement better then its
minimal length ($MinimumPasswordLength)?
I mean something like
http://sourceforge.net/projects/cracklib
http://www.openwall.com/passwdqc/
or so.

Tried Anyone John The Ripper successfully with RT password hashes?
Zito

Hi,
is there any way to set password quality enforcement better then its
minimal length ($MinimumPasswordLength)?

There is a BeforeUpdate callback in
share/html/Admin/Users/Modify.html. Without looking deeper at the code
I don’t know if that will also catch “new” user creation.

You’d have to write a little bit of code and put it in the callback
and fail accordingly if the password didn’t meet your requirements.

I mean something like
http://sourceforge.net/projects/cracklib
http://www.openwall.com/passwdqc/
or so.

Tried Anyone John The Ripper successfully with RT password hashes?

We use an SSO in front of RT - so no need to have local hashes.

-m

Hi,
is there any way to set password quality enforcement better then its
minimal length ($MinimumPasswordLength)?

There is a BeforeUpdate callback in
share/html/Admin/Users/Modify.html. Without looking deeper at the code
I don’t know if that will also catch “new” user creation.

You’d have to write a little bit of code and put it in the callback
and fail accordingly if the password didn’t meet your requirements.

Uhm. Seems to me better to include this into RT::User::ValidatePassword
I tried this right now and seems to be OK (RT version 4.2.11).
I did a copy of lib/RT/User.pm into local/lib/RT/User.pm and patch it:

commit 96c1079c7efcda70cb0467e5a331c29b6a4a5305
Author: Vaclav Ovsik vaclav.ovsik@i.cz

hack ValidatePassword 2/2: cracklib test

diff --git a/local/lib/RT/User.pm b/local/lib/RT/User.pm
index e65478d…627ce75 100644
— a/local/lib/RT/User.pm
+++ b/local/lib/RT/User.pm
@@ -304,6 +304,11 @@ sub ValidatePassword {
return ( 0, $self->loc(“Password needs to be at least [quant,_1,character,characters] long”, RT->Config->Get(‘MinimumPasswordLength’)) );
}

  • require Crypt::Cracklib;
  • if ( ! Crypt::Cracklib::check($password) ) {
  •    return ( 0, $self->loc("Password is too weak (cracklib test)") );
    
  • }
    return 1;
    }

This is very simple (requires perl CPAN module Crypt::Cracklib). Can it
be a feature request? :slight_smile:

I mean something like
http://sourceforge.net/projects/cracklib
http://www.openwall.com/passwdqc/
or so.

Tried Anyone John The Ripper successfully with RT password hashes?

We use an SSO in front of RT - so no need to have local hashes.

We have RT user database standalone.

The above test using Cracklib is not ideal solution as I’m now running
John The Ripper and many people uses modified user-names as passwords.
I’m Using J.T.R for generating the password lists and than test each one
by one for every enabled user with RT::User->IsPassword().
It is very slow for bcrypt hashes.
Cheers

Zito

Hey!On Wed, Jul 22, 2015 at 8:23 AM, Václav Ovsík vaclav.ovsik@i.cz wrote:

Uhm. Seems to me better to include this into RT::User::ValidatePassword
I tried this right now and seems to be OK (RT version 4.2.11).
I did a copy of lib/RT/User.pm into local/lib/RT/User.pm and patch it:

commit 96c1079c7efcda70cb0467e5a331c29b6a4a5305
Author: Vaclav Ovsik vaclav.ovsik@i.cz
Date: Wed Jul 22 14:26:35 2015 +0200

hack ValidatePassword 2/2: cracklib test

diff --git a/local/lib/RT/User.pm b/local/lib/RT/User.pm
index e65478d…627ce75 100644
— a/local/lib/RT/User.pm
+++ b/local/lib/RT/User.pm
@@ -304,6 +304,11 @@ sub ValidatePassword {
return ( 0, $self->loc(“Password needs to be at least [quant,_1,character,characters] long”, RT->Config->Get(‘MinimumPasswordLength’)) );
}

  • require Crypt::Cracklib;
  • if ( ! Crypt::Cracklib::check($password) ) {
  •    return ( 0, $self->loc("Password is too weak (cracklib test)") );
    
  • }
  • return 1;
    }

This is very simple (requires perl CPAN module Crypt::Cracklib). Can it
be a feature request? :slight_smile:

I don’t know about that. Just a comment on your implementation:

You don’t need to copy the whole file. You can overlay just the
subroutine you’d like:

package RT::Site::YourOrg

any customizations you’d like

Switch namespace to redefine ValidatePassword

package RT::User;

use strict;
no warnings qw(redefine);

sub ValidatePassword {

blah

}

1;

Then make sure your module is loaded in your SiteConfig:

Plugin('RT::Site::YourOrg");

-m