Announcement

Collapse
No announcement yet.

Check for weak passwords

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Check for weak passwords

    hi!

    i just noticed that it is possible to set weak passwords via the web ui of open-xchange: configuration -> user -> password. is it possible to configure this / enable at least a simple password length check here?

    our server stores password hashes in the mysql db and has pam/cyrus set up to authenticate against that.

    thanks,

    guenter

  • #2
    I'd recommend to use the imap server to authenticate instead of our database.
    Just deinstall authentication-database and replace it with authentication-imap.
    And deinstall the passwordchange package.

    Comment


    • #3
      Originally posted by Carsten Hoeger View Post
      I'd recommend to use the imap server to authenticate instead of our database.
      Just deinstall authentication-database and replace it with authentication-imap.
      And deinstall the passwordchange package.
      but if i deinstall the passwordchange package would't that prevent users from changing their passwords using the web interface?

      Comment


      • #4
        Yes, of course. If you are using imapauth instead of db, the passwordchange is useless, anyway, as it cannot change the imap servers password.

        Comment


        • #5
          Originally posted by Carsten Hoeger View Post
          Yes, of course. If you are using imapauth instead of db, the passwordchange is useless, anyway, as it cannot change the imap servers password.
          *g* - ok, now that is actually the exact opposite from what i had in mind - i wanted to fix the password change menu option, not remove it completely.

          we're currently considering running john the ripper in the background to detect weak passwords, but warning the user right away would be a better solution from a user experience point of view, of course.

          Comment


          • #6
            Hi,

            well you could customize the passwordchange UI plugin and add some text to the password change plugin site, but it think without customization of the serverside plugin it won't be possible to implement a password check.

            Comment

            Working...
            X