UCSF Password Wiki Link Not Public

[ellestad]

The link on the Wynton Change password page to the UCSF password policy goes to a page on the UCSF Wiki which requires authentication.

As not all Wynton Users are UCSF Users, should a summary of the actual Wynton password policy be listed on the Wynton password page?

Or to a public page with the UCSF policy?

Something like: UCSF Password InfoGraphic

[ellestad]

As far as I can tell, the password policy comes out of '/etc/security/pwquality.conf' on Alexander and Aristotle.

The contents of that file are as follows. It appears we use the default values, other than specifying a length of 12.

# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 5
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
minlen = 12
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
# dcredit = 1
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
# ucredit = 1
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
# lcredit = 1
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
# ocredit = 1
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
# minclass = 3
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
# maxrepeat = 2
#
# The maximum number of allowed consecutive characters of the same class in the
# new password.
# The check is disabled if the value is 0.
# maxclassrepeat = 0
#
# Whether to check for the words from the passwd entry GECOS string of the user.
# The check is enabled if the value is not 0.
# gecoscheck = 0
#
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =

[HenrikBengtsson]

Oh my, that's really silly of them to hide that behind a login. I guess we could request them to release those rules to the world, but that's probably a big uphill.

So, yes, we could explicitly document this on the Wynton page, e.g.

The password should fulfill the following requirements, which follows the UCSF Enterprise Password Standard:

• ...
• ...
• ...

PS. Remember this issue tracker is public to the world.

[HenrikBengtsson]

Or to a public page with the UCSF policy?

Something like: UCSF Password InfoGraphic

That's the quick solution. I'd say go for it (although it's a PDF, which might not be accessible)

[Nicki-Martin]

Agreed to keep it as is until we hear users having issues