GSMA-CPAS / BWRP-UI

Apache License 2.0
1 stars 0 forks source link

Psa password requirements #90

Open zsoltschaefer opened 3 years ago

zsoltschaefer commented 3 years ago

According to the PSA requirements UI passwords shall be at least 12 characters long.

sgerhardt-trilobyte commented 3 years ago

What are the exact PSA password requirements? Is it still -> password must contain at least: 1 uppercase letter, 1 lowercase letter, 1 number, and one special character?

zsoltschaefer commented 3 years ago

It was about the password length, the rest should be fine. Character classes are even stricter in the implementation. If there is a two factor authentication during login (not just user registration), we are allowed to go as short as 8 characters.

So 12 + 4 character classes is on the safe side of the requirements.


If a password is used as an authentication attribute, it must have at least 12 characters and contain three of the following categories: lower-case letters, upper-case letters, digits and special characters. A system may only accept passwords that comply with the following complexity rules:

Minimum length of 12 characters. Comprising at least three of the following four character categories:

lower-case letters upper-case letters digits special characters

The usable maximum length of passwords shall not be limited to less then 25 characters. This will provide more freedom to End Users when composing individual memorizable passwords and helps to prevent undesired behavior in password handling.

When a password is assigned, the system must ensure that the password meets these policies. This must be preferably enforced by technical measures; if such cannot be implemented, organizational measures must be established. If a central system is used for user authentication (see also Requirement 19 [ID: 3.01-19/2.3]), it is valid to forward or delegate this task to that central system.

Conditions for a permissible deviation in the password minimum length Under defined conditions, the password minimum length may be reduced. The conditions identified as permissible for the current status are shown in the following table.

Condition password minimum length The login process uses additional authentication features in the form of a 2-factor- or multi-factor-authentication in addition to the password. 8 Characters

In the case that specific conditions not listed here are identified under appropriate security criteria to reduce the minimum password length, a minimum value of 8 characters must not be undercut during implementation.

Deviations in the password minimum length must always be individually assessed by a suitable security consultant (for instance, a PSM of Telekom Security) and confirmed as permissible. The assessment must take into account surrounding technical, organizational and legal framework parameters as well as system-specific protection requirements and the potential amount of damage in case of security incidents.

Motivation: Passwords with the above complexity offer contemporary robustness against attacks coupled with acceptable user friendliness. Passwords with this level of complexity have proven their efficiency in practice. Trivial and short passwords are susceptible to brute force and dictionary attacks and are therefore easy for attackers to determine. Once a password has been ascertained it can be used by an attacker for unauthorized access to the system and the data on it.

smeyerzu commented 3 years ago

Can we implement this with a variable?