[asterisk-bugs] [Asterisk 0014495]: [patch] Enforce password strengths

Asterisk Bug Tracker noreply at bugs.digium.com
Wed Feb 18 11:50:17 CST 2009 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=14495 
====================================================================== 
Reported By:                Corydon76
Assigned To:                jsmith
====================================================================== 
Project:                    Asterisk
Issue ID:                   14495
Category:                   Channels/chan_sip/General
Reproducibility:            N/A
Severity:                   feature
Priority:                   normal
Status:                     assigned
Asterisk Version:           SVN 
Regression:                 No 
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2009-02-17 16:54 CST
Last Modified:              2009-02-18 11:50 CST
====================================================================== 
Summary:                    [patch] Enforce password strengths
Description: 
[11:23:31] <Shaun2222> jsmith: the problem is that these newbies are going
to also set weak passwords
[11:24:15] <Shaun2222> that option these days should be "yes" by default.
[11:24:35] <jsmith> Shaun2222: We can't protect people from themselves...
at some point, they should be responsible for their own choices.
[11:24:36] <Shaun2222> security is far more important than some newbie
trying to figure out what he did wrong.
[11:25:09] <jsmith> Shaun2222: That's not to say security isn't
important... I'm just saying there's only so much we can do to prevent them
from being insecure in their choices.
[11:25:39] <Corydon76-dig> You mean like ALL NUMERIC PASSWORDS?
[11:26:17] <Corydon76-dig> All numeric usernames aren't much better.
[11:26:29] <Shaun2222> jsmith: somthing like that needs to be on by
default.   if a newbie cant figure out whats wrong with there sip phone
then he can enable that option.
[11:27:04]  Corydon76-dig thinks we should have an option called
"enablenumericpasswords" and the default should be "no"
[11:27:20] <Shaun2222> so.. how can we get this option enabled by
default.. do i need to submit a bug or somthing?
[11:27:42] <Corydon76-dig> Shaun2222: honestly, it would only be changed
in unreleased branches
[11:28:02] <Corydon76-dig> Changing defaults in the middle of a release
cycle is bad, mmmkay?
[11:28:18] <Corydon76-dig> so maybe 1.6.1
[11:28:20] <Shaun2222> Corydon76-dig: might as well make the change now
for the new installs....
[11:28:39] <Shaun2222> next release would have the change, as people
upgrade, it will be enabled.
[11:28:50] <Shaun2222> if they are already authing ok, it shouldnt affect
them
[11:29:09] <jsmith> Shaun2222: When people upgrade, they often don't start
from a new config file... they typically just copy over their old config
[11:29:34] <Shaun2222> jsmith: exactly why that should default to "yes" so
the option is enabled automatically.
[11:29:39] <jsmith> Corydon76-dig: I do like the idea of the
enablenumericpasswords setting.
[11:30:10] <jsmith> Corydon76-dig: Or even better, make it
"enableweakpasswords" and do some more sanity checking than just "is it
numeric and less than X digits long"
[11:31:05] <Corydon76-dig> jsmith: at least one capital letter, one
lowercase letter, a number, and a symbol... and no less than 8 characters
long
[11:31:22] <jsmith> WORKSFORME
====================================================================== 

---------------------------------------------------------------------- 
 (0100316) lazytt (reporter) - 2009-02-18 11:50
 http://bugs.digium.com/view.php?id=14495#c100316 
---------------------------------------------------------------------- 
<@jsmith> hi365: Regexs aren't ideal... just write out the rules you think
we should use in plain english in comments on that bug, and we'll figure
out the best way to code them

hmm:
1. Min-max amount of characters (totals)
2. min amount of digits
3. min amount of alphanumeric [a-zA-Z]
4. min amount of special characters (depending on asterisk level of
support for them i.e. !@#$%^&*()_+=-) 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-02-18 11:50 lazytt         Note Added: 0100316                          
======================================================================

More information about the asterisk-bugs mailing list