search

Dasharo / dasharo-issues

The Dasharo issue tracker
https://dasharo.com/
25 stars 0 forks source link

Propose password policy based on current standards #646

Closed mkopec closed 1 hour ago

mkopec commented 11 months ago

The problem you're addressing (if any)

The current password requirements are very strict and won't allow someone to use passphrases (because you need uppercase, lowercase, special, numeric, symbol(?) characters

It has been shown that strict password requirements cause people to re-use their passwords or use shorter ones because they simply can't remember so many complex strings of text, making their overall security lower: https://www.enzoic.com/blog/the-benefits-and-drawbacks-of-password-complexity-rules/

Describe the solution you'd like

Remove or loosen the password requirements

Where is the value to a user, and who might that user be?

People who use passphrases People who are okay with using less secure passwords

Describe alternatives you've considered

FIDO2 auth in setup menu?

Additional context

https://neal.fun/password-game/

The password requirement code was imported completely from edk2-platforms without much thought if we want to actually have these requirements

macpijan commented 11 months ago

Mandatory XKCD: https://xkcd.com/936/

miczyg1 commented 11 months ago

Not understanding the value of security, or being lazy, should never be a reason to weaken the security.

Personally, to make the password more memorable, I use $ instead of S or 3 instead of E or @ instead of a in casual words.

Secondly how often an average person needs to enter BIOS? Most likely the frequency is high right after buying the HW. But when settings are settled, one almost never enters BIOS setup. The password may be enrolled when one decides on the set of settings.

Even better idea: remove the setup password if the presence of such option causes such willingness to abuse its use.

mkopec commented 11 months ago

And now we know which characters to include in the dictionary when bruteforcing your passwords ;)

miczyg1 commented 11 months ago

And now we know which characters to include in the dictionary when bruteforcing your passwords ;)

Good luck. Except that I mainly use the generated passphrases from bitwarden-like apps

But in case like these where you need to memorize something, It may be good. And I just gave a few examples. There are more symbol I use, not necessarily in place of regular characters in words

Anyway, don't forget to send me a ransom, when you get to my bank account.

mkopec commented 11 months ago

I guess I'll need to look for peer-reviewed studies showing the impact of password requirements here to show my point.

macpijan commented 11 months ago

Password policy is very common topic, we should just look at existing standards, here are some references: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls

Maybe we should change the title of the issue to less-triggerring one, like "Propose password policy based on current standards" ;)

pietrushnic commented 11 months ago

Not understanding the value of security, or being lazy, should never be a reason to weaken the security.

https://en.wikipedia.org/wiki/False_consensus_effect

miczyg1 commented 11 months ago

Not understanding the value of security, or being lazy, should never be a reason to weaken the security.

https://en.wikipedia.org/wiki/False_consensus_effect

Sounds like something that can be applied to anything. So be it.

miczyg1 commented 11 months ago

Just for reference, AMI:

image

pietrushnic commented 11 months ago

I guess this is an antipattern we should not follow.

rafkoch commented 7 months ago

When is this issue planned to be implemented, i.e. when will Dasharo accept passphrases as USER or ADMIN password?

macpijan commented 5 months ago

@BeataZdunczyk That should be not that difficult change, can we plan to include in the next releases?

philipandag commented 4 months ago

Working on the issue here: https://github.com/Dasharo/edk2/pull/152 https://github.com/Dasharo/docs/pull/857

philipandag commented 4 months ago

https://github.com/Dasharo/edk2/pull/152 https://github.com/Dasharo/docs/pull/857 PRs are merged, closing the issue.

rafkoch commented 1 month ago

@BeataZdunczyk @mkopec, @philipandag I do not understand whether DASHARO supports or does not support PASSPHRASES, because the screenshot mentions the old requirements (lowercase, uppercase, aplhabetic, number,...) while under this screenshot in the description it already mentions the requirement of lowercase letters only.

  1. screenshot on docs. dasharo.com link1: image

  2. description under this screenshot link2: image

mkopec commented 1 month ago

Screenshot wasn't updated, but password requirements were loosened to allow for passphrases

rafkoch commented 1 month ago

So. I'm waiting for replacement the screenshot until it is consistent with the description under it.

rafkoch commented 2 weeks ago

@BeataZdunczyk @mkopec we are still waiting for replacement the screenshot until it is consistent with the description under it.

wiktormowinski commented 1 week ago

my bad, @rafkoch https://github.com/Dasharo/docs/pull/942