Hi Robert,
> What is the best way to enforce strong passwords? I see Solarspeed.net
> has a free package to do this, would that be the best way to go?
That PKG is outdated and was pulled. However, the most recent and fully
working code for it is in the BlueQuartz SVN (has been for several months
now) and should be available "soon" from the BlueQuartz YUM repository.
It works like this:
Whenever a new user is created, or the password of an existing user is
changed, then the password field will only accept the new password if:
- The password is long enough
- The password is complex enough
- The password is not based on a dictionary word
The "strength" of the password will be visible while you type it in, so you'll
know if it'll be "good enough" before you hit "save".
Now of course this doesn't affect any users that are already on the server and
still have weak passwords. Only if they change their passwords that problem
will go away as well.
We haven't implemented any means (yet) to allow you to (optionally) "force" a
password change. Like making an old password expire after a given amount of
time. Technically that's easily possible on the Linux level, but that could
turn into a support nightmare for some of you. Hence we didn't do that.
So once you have the new code, one suggested way is to send an email to your
users, asking them kindly to change their passwords. That way all which do
this will have much more secure passwords.
--
With best regards,
Michael Stauber