dev@glassfish.java.net

Re: remove password length restrictions

From: Lloyd Chambers <Lloyd.Chambers_at_Sun.COM>
Date: Mon, 21 Sep 2009 10:40:20 -0700

Ideally, entry of a password would give it a quality/security score as
feedback. Many users don't know what a good password is.

Lloyd

On Sep 16, 2009, at 3:40 PM, Bill Shannon wrote:

> This issue came up in our discussions of the issues related to
> removing
> the anonymous user...
>
> I need to change the requirements on password length. Currently
> passwords
> are required to be at least 8 characters. Obviously the new default
> password "" violates that requirement so at the very least I need to
> allow empty passwords or 8+ character passwords.
>
> Ideally, if there were constraints on the password, they would be
> based on
> some pluggable policy, perhaps associated with the realm
> implementation,
> and enforced on the server (not the client as they are today). I
> think
> that's work for a future release...
>
> Several people have been supportive of removing all restrictions on
> password
> length. Unless I hear strong complaints otherwise, that's what I
> plan to do.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>

Lloyd Chambers
lloyd.chambers_at_sun.com
GlassFish Team