Hi, I have a system with a few hundred users, soon to be upgraded to the latest v1.4 squirrelmail. Many of these users have the same password as their username, so we'd like to find the best method for changing the user's passwords with the least amount of impact.
Stop issuing them with such passwords.
If you use a form where they signup and chose (unlikely given you've said "many of these" use this format) introduce harsher tests, libcrack is a good one to use to stop stupid passwords, although not perfect, it is better than nothing.
Are these users local that you can give them to them by hand (or by SMS)?
Migrate to MySQL, much easier
If not, make sure you change /etc/login.defs ENCRYPT_METHOD SHA512 and set CRACKLIB_DICTPATH to the dict words file _if_ ldd /usr/bin/passwd shows support for libcrack.
This doesnt really sound like a SM problem, more of a local policy problem, but its good you are changing it!
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
