Would you be willing to share the code on, say, a github gist ? ______________________________________________________________________________________________ Daniel E. White daniel.e.white@nasa.gov<mailto:daniel.e.white@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: Charles Hedrick via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt; Reply-To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt; Date: Tuesday, January 28, 2020 at 14:21 To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt; Cc: Charles Hedrick <hedrick(a)rutgers.edu&gt; Subject: [EXTERNAL] [Freeipa-users] suggestion for password policy The NIST recommendations for passwords say they don’t think character classes and expiration are useful. Instead, they recommend using a blacklist of known common passwords. There’s no way to implement this policy without writing your own plugin. It would be useful for IPA’s password policy to allow you to specify a database of forbidden passwords. We’ve done this using a plugin, but I’d rather not have to write C code to implement policy.