Critical Description
We have spent a significant amount of time enhancing the product to make it more secure.
One of the ways is the "password policy". Currently in 5.0 we however still default to the old password policy - no mix of characters required, no numbers required, no upper case required, min of 6 characters.
I believe that from the get-go we should make a the policy slightly more stringent e.g. 8 characters, mix of numbers and special chars otherwise we will have a whole bunch of implementations all moving into 5.0 and beyond with the old password policy.
Unless we FORCE the issue, environments are not going to get to compliance.
Making the policy more stringent is the right thing to do, especially with easy NON-LDAP RBAC and multiple user roles in 5.0
Associated Impacts:
- Existing clusters should not be impacted - password check should only occur on password change and password creation
- Existing customers will have to upgrade their scripts for new clusters (Most customers already use long and complex passwords)
- Testing at our end
Attachments
Issue Links
- relates to
-
MB-25811 Don't suggest a username when going through the installation wizard
-
- Open
-