[x500standard] Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt

  • From: Howard Chu <hyc@xxxxxxxxxxxxxxx>
  • To: simo <idra@xxxxxxxxx>
  • Date: Mon, 31 Mar 2008 17:23:59 -0700

simo wrote:

The number of constraints seem quite limited, are you open to
for more constraint types that are currently commonly used in various
server implementations ?

there are some encoding (utf-8) dependent constraints that are widely
used like:

- minimum length in characters
- maximum number of repetitions of the same character in a password
- minimum number of alphabetic characters
- minimum number of lower case characters
- minimum number of upper case characters
- minimum number of digits
- minimum number of special characters (usually ASCII characters that
represent symbols, but may be extended to other symbols in the UTF-8
- minimum number of ASCII characters (as opposed to other utf-8
- complexity checks, like the checks performed by the cracklib library
to make sure the user name (or other user data) is not used as part of
the password itself, or the password is not too similar to a dictionary
word (locale dependent sometimes).

I recall when draft-behera was being discussed that folks wanted more constraints, but nobody suggested what those might be. This is a pretty good list. As for complexity checks, that may still be more difficult to standardize. In OpenLDAP we punt that to a user-written checking module.

I don't really see a good way to fully spec this here, unless you want to define an attribute to carry ABNF rules that a password must conform to. Or, we could define a list of "dictionaries" that must be checked, where a "dictionary" is a specified version number of a well-known word list, library (like cracklib) or other external mechanism.

There is also often a kind of meta-constraint:
- minimum number of constraints that must pass their criteria

This allows a greater number X of constraints but accept the password
even if only Y<  X of them is fulfilled. An example configuration is to
enable all constraints but require that only say 4 of them must be met
at the same time to consider the password strong enough.


  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/
www.x500standard.com: The central source for information on the X.500 Directory 

Other related posts: