The issue, of course, comes in remembering these fun passwords after you create them.
Maxsequence helps some but not much with standard keyboard patterns from what I can tell. Trevor On Sun, Jul 26, 2015 at 10:30 AM, Arnold, Paul C CTR USARMY PEO STRI (US) < [email protected]> wrote: > Trevor, regarding cracklib: partially, at least in my testing. > > > > (These are for demonstation -- do not use these patterned passwords) > > For example, this would be picked up as 'BAD PASSWORD: it is too > simplistic/systematic' by cracklib (RHEL6): > > 3456erty#$%^ERTY > > > > But this would not: > > 3467eryu#$^&ERYU > > > > > > However there is a maxsequence parameter that cracklib can take that I > have not tested, perhaps that would increase this capability. > > > > Regards, > -- > Paul C. Arnold > IT Systems Engineer > Cole Engineering Services, Inc. > ------------------------------ > *From:* [email protected] [ > [email protected]] on behalf of Trevor > Vaughan [[email protected]] > *Sent:* Saturday, July 25, 2015 08:22 PM > *To:* SCAP Security Guide > *Subject:* Re: difok value in stig-rhel7-server-upstream profile > > Hmm...thinking about this, did cracklib ever pick up common extended > keyboard patterns? > > It seems that this could be done relatively easily mathematically based > on the password vs keyboard layout. > > If not, I'll suggest it to a couple of Universities as a programming > project. > > Thanks, > > Trevor > > On Sat, Jul 25, 2015 at 8:00 PM, Leam Hall <[email protected]> wrote: > >> No kidding. I know there are smart people at DISA, but the general output >> seems to be from people who don't actually use computers or follow their >> own rules. >> >> Leam >> >> On 07/25/15 19:56, Trevor Vaughan wrote: >> >>> Interesting. Not looking forward to the backlash on implementing that >>> one. >>> >>> Trevor >>> >>> On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Unfortunately, DISA now requires that 15 of the characters differ >>> between passwords. >>> >>> Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91 >>> >>> Awkwardly citing the same requirement (SRG-OS-000072), of which the >>> full text is: >>> >>> The operating system must require the change of at least 15 of >>> the total number of characters when passwords are changed. >>> >>> If the operating system allows the user to consecutively reuse >>> extensive portions of passwords, this increases the chances of >>> password compromise by increasing the window of opportunity for >>> attempts at guessing and brute-force attacks. >>> >>> The number of changed characters refers to the number of changes >>> required with respect to the total number of positions in the >>> current password. In other words, characters may be the same >>> within the two passwords; however, the positions of the like >>> characters must be different. >>> >>> >>> >>> >>> >>> >>> >>> On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote: >>> >>> The DoD states 50% of the minimum password length, which rounds >>> up to 8 and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG >>> also applies to systems outside the DoD, which may dictate some >>> initial/default rules. >>> >>> However, 15 seems to be too high for a default parameter. >>> >>> Regards, >>> -- >>> Paul C. Arnold >>> IT Systems Engineer >>> Cole Engineering Services, Inc. >>> >>> ________________________________________ >>> From: [email protected] >>> <mailto:[email protected]> >>> [[email protected] >>> <mailto:[email protected]>] on >>> behalf of Shaw, Ray V CTR USARMY ARL (US) >>> [[email protected] <mailto:[email protected]>] >>> Sent: Friday, July 24, 2015 02:30 PM >>> To: scap-security-guide >>> [[email protected] >>> <mailto:[email protected]>] >>> Subject: difok value in stig-rhel7-server-upstream profile >>> >>> RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the >>> following: >>> >>> <refine-value idref="var_password_pam_difok" selector="15" /> >>> >>> Should this be changed from 15 to 4? The help text indicates >>> that the DoD requirement is 4, and other documentation seems to >>> support this. >>> >>> -- >>> Ray Shaw (Contractor, STG) >>> Army Research Laboratory >>> CISD, Unix Support >>> -- >>> SCAP Security Guide mailing list >>> [email protected] >>> <mailto:[email protected]> >>> >>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >>> https://github.com/OpenSCAP/scap-security-guide/ >>> >>> >>> -- >>> Shawn Wells >>> Director, Innovation Programs >>> [email protected] <mailto:[email protected]> | 443.534.0130 >>> <tel:443.534.0130> >>> @shawndwells >>> >>> -- >>> SCAP Security Guide mailing list >>> [email protected] >>> <mailto:[email protected]> >>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >>> https://github.com/OpenSCAP/scap-security-guide/ >>> >>> >>> >>> >>> -- >>> Trevor Vaughan >>> Vice President, Onyx Point, Inc >>> (410) 541-6699 >>> >>> -- This account not approved for unencrypted proprietary information -- >>> >>> >>> >> -- >> SCAP Security Guide mailing list >> [email protected] >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >> https://github.com/OpenSCAP/scap-security-guide/ >> > > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 > > -- This account not approved for unencrypted proprietary information -- > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 -- This account not approved for unencrypted proprietary information --
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
