Hello OpenVAS Users,
with upcoming OpenVAS-6 we support password policies for the OpenVAS users.
Like "password needs at least 4 characters and must contain a number".
See the attached password policy sample file (located in
openvas-administrator/doc/).
It illustrates what is possible.
Question:
Should OpenVAS install a password policy by default and if yes, how should it
look like?
Best
Jan
--
Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B
202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
# pwpolicy.conf -*- coding: utf-8 -*-
#
# This is an example for a pattern file used to validate passwords.
# Passwords matching an entry in this file are considered weak and
# will be rejected.
#
# The file is line based with comment lines beginning on the *first*
# position with a '#' and followed by at least one white space. Empty
# lines and lines with only white space are ignored. The other lines
# may either be verbatim patterns and match as they are (trailing
# spaces are ignored) or Perl compatible regular expressions (pcre)
# indicated by a '/' in the first column and terminated by another '/'
# or end of line. To reverse the meaning of a regular expression
# prefix it with an exclamation mark like this:
#
# !/^.{6,}$/
#
# This will reject a passphrase with less than 6 characters. All
# comparisons are case insensitive; utf-8 encoding must be used. A
# few processing instructions are supported:
#
# #+desc[:] A string describing the next pattern
#
# This is used to return meaningful error messages. To end a group of
# pattern with the same description either a new "#+desc:" line may be
# used or the instruction:
#
# #+nodesc
#
# To include a list of simple pattern use:
#
# #+search[:] FILENAME
#
# Note that this is a simple linear search and stops at the first
# match. Comments are not allowed in that file. A line in the
# dictionary may not be longer than 255 characters.
#
# To perform checks on the username/password combination, you should
# use:
#
# #+username
#
# Currently this checks whether the password matches or is included in
# the password. It may eventually be extended to further tests.
# Let's start with a simple test
#+desc: Too short (at least 8 characters are required)
!/^.{8,}$/
# Check that the user name does not match the password.
# (The desc string is not used here.)
#+username
#+desc: Only digits
/^[[:digit:]]+$/
#+desc: Not a mix of letters digits and control characters
!/[[:alpha:]]+/
!/[[:digit:]]+/
!/[[:punct:]]+/
#+desc: No mixed case
!/(?-i)([[:lower:]]+.*[[:upper:]]+)|([[:upper:]]+.*[[:lower:]]+)/
#+desc: Date string
# A limited check for ISO date strings
/^[012][0-9]{3}-?[012][0-9]-?[0123][0-9]$/
# Reject the usual metavariables.
#+desc: Meta variable
foo
bar
baz
#+desc: Common test password
password
passwort
passphrase
mantra
test
abc
egal
# Arbitrary strings
#+nodesc
12345678
87654321
qwerty
qwertyuiop
asdfghjkl
zxcvbnm
qwertzuiop
yxcvbnm
no-password
no password
#+desc: Test string used by RTTY hams
the quick brown fox jumps over the lazy dogs back
#+desc: German number plate
/^[A-Z]{1,3}\s*-\s*[A-Z]{1,2}\s*[0-9]+$/
#+desc: Dictionary word
#+search: /usr/share/dict/words
# Note that searching a large dictionary may take some time, it might
# be better to use an offline password auditing tool instead.
# end of policy file
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
