[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-opendj
Subject: Re: [Opendj] RE : RE : Password policies
From: Ludovic Poitou <ludovic.poitou () forgerock ! com>
Date: 2014-04-16 13:26:13
Message-ID: CAL60-KisXxAvnJ_AQM0-06iL1_OFiYh4UXa94AxLoL2Tru9=LQ () mail ! gmail ! com
[Download RAW message or body]
Could you file a request for enhancement in our issue tracker
<https://bugster.forgerock.org/jira/browse/OPENDJ> ?
Thanks in advance,
Ludovic
On Wed, Apr 16, 2014 at 3:22 PM, Belleville-Rioux, Vincent
<rioux.vincent@uqam.ca> wrote:
> That's fine, because we can usually trigger mechanisms to tell the user t=
hat there is something trying to authenticate repeatedly at that point and =
send an automated E-Mail telling them to check their mobile devices.
>
> Vincent
>
> ________________________________________
> De : opendj-bounces@forgerock.org [opendj-bounces@forgerock.org] de la pa=
rt de Major P=E9ter [majorpetya@gmail.com]
> Date d'envoi : 16 avril 2014 09:16
> =C0 : OpenDJ discussion list
> Objet : Re: [Opendj] RE : Password policies
>
> I believe the purpose of the feature is that the failure count does not
> get incremented when an old password is presented, but it would be still
> a failed BIND attempt (i.e. the user wouldn't get logged in).
>
> cheers,
> Peter
>
> 2014.04.16. 14:13 keltez=E9ssel, Ludovic Poitou =EDrta:
>> So my previous email crossed your answer.
>> No OpenDJ will not validate password against previous passwords. IMO,
>> this can be a serious security risk ( especially if a password was
>> reset because it was compromised).
>>
>> Regards,
>>
>> Ludovic.
>>
>> On Wed, Apr 16, 2014 at 3:09 PM, Belleville-Rioux, Vincent
>> <rioux.vincent@uqam.ca> wrote:
>>> From what I understand, this is something else.
>>>
>>> AD keeps an history (when enabled) of past passwords.
>>>
>>> When a user changes his password, other devices may continue to use the=
past
>>> password.
>>>
>>> Those devices may be hammering the directory with the past password, th=
us
>>> counting on the bad password count and eventually locking the user out.
>>>
>>> AD "fixes" this by comparing the bad password with the ones stored in
>>> history (N-2). If there is a match, the bad password count is NOT
>>> incremented at all.
>>>
>>> Vincent
>>>
>>> _______________________________________________
>>> OpenDJ mailing list
>>> OpenDJ@forgerock.org
>>> https://lists.forgerock.org/mailman/listinfo/opendj
>>>
>> _______________________________________________
>> OpenDJ mailing list
>> OpenDJ@forgerock.org
>> https://lists.forgerock.org/mailman/listinfo/opendj
>>
> _______________________________________________
> OpenDJ mailing list
> OpenDJ@forgerock.org
> https://lists.forgerock.org/mailman/listinfo/opendj
> _______________________________________________
> OpenDJ mailing list
> OpenDJ@forgerock.org
> https://lists.forgerock.org/mailman/listinfo/opendj
_______________________________________________
OpenDJ mailing list
OpenDJ@forgerock.org
https://lists.forgerock.org/mailman/listinfo/opendj
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic