Re: How can I set minimum password length ?

Email lists > Mantis developer discussions

Thread: Re: How can I set minimum password length ?

Search this list only Search all lists
Re: How can I set minimum password length ?
France	2007-05-04 02:01:02
Hi all, It is not the password the weak point of the authentication method (yes, you can add constraints on password but...). I mean, you just need to present a cookie (MANTIS_COOKIE_STRING) with a "good" value to authenticate and you can try and try a lot of values wihtout any problem (try 3 password and the account is locked, try 3 cookie values and you can continue...). So maybe it is necessary to blacklist (for a while) the IP or send an email to the administrator when 3 different cookie values have been presented. Vincent > Hi Leandro, > > At the moment Mantis doesn't enforce any password strength criteria. > However, I believe it would be a good idea if we can eventually add a > hook for that. This way there can be implementations that does such > check like: > > 1. Password Length > 2. Contains upper case, lower case, symbols, numbers kind of policy. > 3. Different from login name kind of policy > 4. Not dictionary based > > Please report a feature request in the bug tracker for this and > include above text. Thanks. > > Any code contributions are welcome. > > On 5/3/07, Leandro <llattan2002yahoo.com.ar> wrote: >> >> >> How can I set minimum password length ? >> >> Regards. >> Leandro. -- Mantis Plugin: <http://deboutv.fre e.fr/mantis/> ------------------------------------------------------------ ------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourcefor ge.net/powerbar/db2/ _______________________________________________ mantisbt-dev mailing list mantisbt-devlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mantisbt-d ev

Re: How can I set minimum password length ?
	2007-05-08 02:04:42
On 5/4/07, Vincent DEBOUT <deboutvfree.fr> wrote: > It is not the password the weak point of the authentication method (yes, > you can add constraints on password but...). I mean, you just need to > present a cookie (MANTIS_COOKIE_STRING) with a "good" value to > authenticate and you can try and try a lot of values wihtout any problem > (try 3 password and the account is locked, try 3 cookie values and you can > continue...). I'm pretty much in agreement with this but... > So maybe it is necessary to blacklist (for a while) the IP or send an > email to the administrator when 3 different cookie values have been > presented. > Sounds easy, but what about NATted LANs? All PCs will present the same IP but different cookies so you don't want to blacklist them Moreover, though I understand you could store valuable informations in you mantis tracker, this sounds like storing your cooking recipes in a bank deposit box: for most cases it's not worth the effort. ------------------------------------------------------------ ------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourcefor ge.net/powerbar/db2/ _______________________________________________ mantisbt-dev mailing list mantisbt-devlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mantisbt-d ev

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists