[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Health-dev] Script to generate / update Tryton master password agai
Re: [Health-dev] Script to generate / update Tryton master password against cracklib
Thu, 30 Oct 2014 15:50:54 -0700
On 10/29/14, Luis Falcon wrote:
> Hi team
> I have created a basic python script ("serverpass.py"), that allows to
> generate or update the Tryton master password, and validate it against
> The goal is to harden the security, as well as to facilitate its
> generation without editing manually the configuration file.
> It's done for GNU Health. Starting GNU Health 2.8, it will be called in
> the standard installation program (gnuhealth_install.sh), but it is
> also a stand-alone program, to update the password
> You can check the latest version at the GNU Health mercurial
> repository, in the default branch, browsing under
> "tryton/scripts/security" directory .
> I hope it can be useful to general Tryton installations, so I'm copying
> it to tryton-contrib list. It's just starting, so expect
> bugs, backup your configuration file, and don't use it in production
> environments yet :)
> Next should be checking for bad passwords at user level.
> Suggestions are most welcome.
I think it's a good start. Another angle is a blacklist of disallowed
passwords and roots. Dictionary attacks are powerful. Add some brute
force limiting, and that's probably good enough until we add something
more. (e.g., two-factor, etc.) I'll have to cross that bridge on the
FHIR server eventually, too.