1 Topic by broth

  • broth
  • Member
  • Offline
  • Registered: 2012-04-22
  • Posts: 145

Topic: Installer should follow iRedAdmin password policy

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.1
- Deployed with iRedMail Easy or the downloadable installer? installer
- Linux/BSD distribution name and version: Ubuntu 22.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello Zhang!

I noticed that the iRedMail installer does not follow the iRedAdmin password policy.
Passwords in iRedMail.tips (just after installation) come with no special character.
If you try to set the password in the web GUI, an error is shown:

Error: No special character in password.

Why is this relevant? Well, if you choose to reinstall your iRedMail server and migrate mail accounts, you will have the old password for the postmaster account. You might want to set it to the one which was created during installation to steamline it with the places the same password is used (e.g. netdata login).

Proposal:

With my current knowledge, I can see some possible solutions:

1. Modify installer to create passwords with at least 1 special character

2. Exceptionally allow 32 character passwords in iRedAdmin without special character

3. Re-evaluate password policy in general, instead of requiring special characters, define a minimum entropy

See
https://pypi.org/project/password-strength/



Latter might need a bit more background.
Password strength is not a matter of special characters but all about entropy.
Lets take an example password as recommended by iRedAdmin Pro in the section "Need a strong password?"

DWm8aw2pH(
Entropy = 57 bits

From the installer we get 32 character passwords without special characters:

Tv35uheXE75kD3iPjMQNMnfN57qnCneN
Entropy = 167 bits

Instead of the password with special character, we can choose a longer password with the same entropy. Example:

Tv35uheXE75kD
Entropy = 58 bits

Eventually we can conclude: The longer the better cool

Best regards,

Bernhard

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: Installer should follow iRedAdmin password policy

*) The 32-char random string passwords are used by daemon programs, e.g. Postfix, Dovecot, etc. These passwords are not changed by sysadmin regularly, so we must use a very strong password, and unique on each server deployed by iRedMail installer. It uses /dev/random to generate random chars.

*) The password policy is for end users, since most end users are not tech guys and have no sense of security, we have to some kind of force them to pick up a strong password to get sysadmins some peaceful sleep.

*) The postmaster password is picked up by sysadmin during iRedMail installation, we expect sysadmin to have basic sense of security, so we don't force secure password here for easier installation. In early iRedMail releases, iRedMail installer simply generates 32-chars strong password for postmaster@, but many sysadmins asked what the password is (they don't even check iRedMail.tips file), so to reduce my workload, i added a dialog to ask for password.

3 Reply by broth

  • broth
  • Member
  • Offline
  • Registered: 2012-04-22
  • Posts: 145

Re: Installer should follow iRedAdmin password policy

ZhangHuangbin wrote:

so to reduce my workload, i added a dialog to ask for password.

... and I use always the recommended password wink

Do you have a quick hack to set a custom password in database bypassing iRedAdmin Pro?

Thanks!

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: Installer should follow iRedAdmin password policy

broth wrote:

Do you have a quick hack to set a custom password in database bypassing iRedAdmin Pro?

Please use the SQL command line instead.