Homepage | Products | OX Knowledge Base | Support | Try Now | Contact | Company
OX Logo
Results 1 to 6 of 6
  1. #1
    Join Date
    Mar 2008
    Posts
    21

    Default Check for weak passwords

    hi!

    i just noticed that it is possible to set weak passwords via the web ui of open-xchange: configuration -> user -> password. is it possible to configure this / enable at least a simple password length check here?

    our server stores password hashes in the mysql db and has pam/cyrus set up to authenticate against that.

    thanks,

    guenter

  2. #2
    Carsten Hoeger is offline Open-Xchange Professional Services
    Join Date
    Mar 2007
    Posts
    703

    Default

    I'd recommend to use the imap server to authenticate instead of our database.
    Just deinstall authentication-database and replace it with authentication-imap.
    And deinstall the passwordchange package.
    OXpedia.org - the answer to almost all questions.

  3. #3
    Join Date
    Mar 2008
    Posts
    21

    Default

    Quote Originally Posted by Carsten Hoeger View Post
    I'd recommend to use the imap server to authenticate instead of our database.
    Just deinstall authentication-database and replace it with authentication-imap.
    And deinstall the passwordchange package.
    but if i deinstall the passwordchange package would't that prevent users from changing their passwords using the web interface?

  4. #4
    Carsten Hoeger is offline Open-Xchange Professional Services
    Join Date
    Mar 2007
    Posts
    703

    Default

    Yes, of course. If you are using imapauth instead of db, the passwordchange is useless, anyway, as it cannot change the imap servers password.
    OXpedia.org - the answer to almost all questions.

  5. #5
    Join Date
    Mar 2008
    Posts
    21

    Default

    Quote Originally Posted by Carsten Hoeger View Post
    Yes, of course. If you are using imapauth instead of db, the passwordchange is useless, anyway, as it cannot change the imap servers password.
    *g* - ok, now that is actually the exact opposite from what i had in mind - i wanted to fix the password change menu option, not remove it completely.

    we're currently considering running john the ripper in the background to detect weak passwords, but warning the user right away would be a better solution from a user experience point of view, of course.

  6. #6
    Join Date
    Feb 2007
    Location
    Germany
    Posts
    3,695

    Default

    Hi,

    well you could customize the passwordchange UI plugin and add some text to the password change plugin site, but it think without customization of the serverside plugin it won't be possible to implement a password check.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •