[jira] [Commented] (QPID-8269) [Broker-J] Enforce password complexity in authentication providers managing credentials
[ https://issues.apache.org/jira/browse/QPID-8269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16734991#comment-16734991 ] Alex Rudyy commented on QPID-8269: -- Keith, I agree with you that ideally in production Broker-J must delegate authentication functionality to an enterprise authentication system. Though, the existing instances of Qpid Broker-J relaying on embedded authentication mechanisms which cannot be migrated to use enterprise authentication systems (for whatever reasons) can benefit from better password strength enforcement. > [Broker-J] Enforce password complexity in authentication providers managing > credentials > --- > > Key: QPID-8269 > URL: https://issues.apache.org/jira/browse/QPID-8269 > Project: Qpid > Issue Type: Improvement > Components: Broker-J >Reporter: Alex Rudyy >Priority: Major > Fix For: qpid-java-broker-8.0.0 > > > Validate the password credentials in Qpid authentication providers managing > credentials to meet the following requirements: > * Password length must be greater than predefined minimum password length > limit (8 or 16 characters, by default) > * Passwords included in the predefined blacklist must not be allowed > * Passwords must not include repetitive or sequential patterns of more than 3 > characters > * Passwords must not include the account username > * Password must be comprised of 3 out of the following 4 elements: > ** Lowercase characters (a through z) > ** Uppercase characters (A through Z) > ** Base 10 digits (0 through 9) > ** Special or non-alphanumeric characters (@,#,+,etc) > * Passwords must not be reused the last 12 times > The different password complexity policies can be applied for interactive and > non interactive accounts. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-8269) [Broker-J] Enforce password complexity in authentication providers managing credentials
[ https://issues.apache.org/jira/browse/QPID-8269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16733407#comment-16733407 ] Keith Wall commented on QPID-8269: -- I think for production use-cases, Broker-J users ought to be delegating authentication to an enterprise authentication system (such as one exposing an LDAP or Kerberos API). These systems are far better positioned to enforce password complexity/reuse rules /lock out. I wouldn't recommend that an enterprise user uses the built in file/config base authentication system for anything other development use-cases. > [Broker-J] Enforce password complexity in authentication providers managing > credentials > --- > > Key: QPID-8269 > URL: https://issues.apache.org/jira/browse/QPID-8269 > Project: Qpid > Issue Type: Improvement > Components: Broker-J >Reporter: Alex Rudyy >Priority: Major > Fix For: qpid-java-broker-8.0.0 > > > Validate the password credentials in Qpid authentication providers managing > credentials to meet the following requirements: > * Password length must be greater than predefined minimum password length > limit (8 or 16 characters, by default) > * Passwords included in the predefined blacklist must not be allowed > * Passwords must not include repetitive or sequential patterns of more than 3 > characters > * Passwords must not include the account username > * Password must be comprised of 3 out of the following 4 elements: > ** Lowercase characters (a through z) > ** Uppercase characters (A through Z) > ** Base 10 digits (0 through 9) > ** Special or non-alphanumeric characters (@,#,+,etc) > * Passwords must not be reused the last 12 times > The different password complexity policies can be applied for interactive and > non interactive accounts. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org