Create password complexity python script

[brooksambrose]

Please.

[aronr]

The minimum passphrase complexity requirements for devices attached to UC Berkeley's network can be found here: https://security.berkeley.edu/minimum-security-standards-networked-devices-mssnd#five

If this may be of any value in constructing password policies for AWS and other cloud providers ...

[aculich]

@stivc and @aronr any interest in collaborating on a first-draft of a script to implement this in the second half of our next (or some future) cloud WG session?

[aronr]

@stivc and I looked at this issue during the second half of the 2015-10-15 Cloud WG session. We concluded that creating a script might not make sense for this use case.

Some observations leading to that conclusion:

• Setting this password policy, as an AWS root account user, is typically a one-time 'set and forget' action, one that likely takes less than a minute and involves just navigating to a particular screen and checking a few easy-to-understand checkboxes in a GUI. Scripting makes sense for repetitive and/or complex actions, but this is neither.
• Getting the script in place is another challenge. It might be possible, for instance, by scripting installation of Amazon's AWS command-line tool (a Python module installable via pip), having the user enter credentials into a local file, and uploading the policy. Not only is this potentially complex, error-prone, and time-consuming (particularly so on Windows systems that might not have Python), but the presence of the credentials store adds a local vulnerability: one that would give full access to the Amazon account in question whenever a user account on a laptop is breached.

Also related:

• If such a script, in part, is intended to make sure that UC Berkeley's current passphrase complexity rules are implemented, those rules aren't a 1:1 fit for the aspects of the password policy that you can set for IAM users, as an AWS root account user, in AWS's IAM console. For instance, the UC Berkeley rules require "two of three" character classes and don't consider uppercase and lowercase to be distinct classes, neither of which is a direct fit. In AWS IAM, you can create a password policy that simulates, and is more stringent than, UC Berkeley's, but not a directly matching one.

[aronr]

@stivc suggested that, as an alternative, he might write up some concise doc about this ...