0

Is there a general rule of thumb when it comes to administrating SVN user passwords, should it be necessary that they must meet complexity requirements?

John
  • 109
  • 2
  • No. Password complexity requirements are specific to your security requirements (and some would argue that they are a waste of time). – Neil Smithline Feb 18 '16 at 18:48
  • Possible duplicate of [Recommended policy on password complexity](http://security.stackexchange.com/questions/3248/recommended-policy-on-password-complexity) – Xander Feb 18 '16 at 19:29

1 Answers1

1

Presumably you are using svn to keep source code or configuration data or something similar, and having an unauthorized modification would be bad. Passwords are just one layer of security in protecting from an unauthorized modification.

So the rule of thumb would be to have "good" passwords. I personally dislike "complexity requirements", as most people doing this ignore that it's about entropy and not complexity:

But if your svn repository is susceptible to a brute force attack (eg, on the internet) you probably don't want your users to have passwords like "1234" or "password".

In addition to that though, you should consider:

  • Putting the svn behind a firewall, accessible only to internal network
  • Using SSH keys for authentication instead of passwords
  • Having branch permissions and a code review process to prevent unwanted changes from getting in the mainline / "trunk" source code
gregmac
  • 523
  • 1
  • 3
  • 15