search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
40.34k stars 10.47k forks source link

Invalidate the initial password after a time period #9842

Open ruKurz opened 6 years ago

ruKurz commented 6 years ago

Currently, the initial password of local users created by an admin, but never attempting to log on, is valid indefinitely. Initial passwords of users created by an administrator are to lose their validity after a configurable period of time.

TwizzyDizzy commented 6 years ago

Hi @ruKurz

could you please elaborate on why that should be the case?

Cheers Thomas

ruKurz commented 6 years ago

As far as I know, invalidating initial passwords after a shorter period of time (compared to the period for locking inactive users) helps security. Among other things, because the misuse is not actively detected by the user. If a user account has been created that is not being used, the brute-force attack vector increases slightly (by the number of user accounts that could potentially be attacked).

If you are aware of contradictory recommendations, I would be pleased to have a reference, similar to the one for enforcing password changes.

TwizzyDizzy commented 6 years ago

Hi @ruKurz

I see. To be honest, I don't know about best practice regarding this very topic, yet I would assume, that if

The admin itselfs seems to be no consideration as an attacker because, quite obviously, he could get the password from memory on login.

If a user account has been created that is not being used, the brute-force attack vector increases slightly (by the number of user accounts that could potentially be attacked).

This seems to be true on first thought, yet when I think about it further, I think you have to distinguish between the probability of the whole system having a case of a successful brute-force attack or the probability of one single account getting brute-forced. But then again, I'm not well versed in probability theory so I think I'll refrain from further comments and leave that up to the developers.

If you are aware of contradictory recommendations, I would be pleased to have a reference, similar to the one for enforcing password changes.

No, I am not aware of any best practices in that sector. Sorry.

Cheers Thomas

ruKurz commented 6 years ago

the password is sent with the initial registration mail it should of course be changed, as it may (or may not) have been exposed to intermediary smtp relays

Encrypting the message content could help here. This solution is then outside of RC.

Probability theory

That's the keyword: Like you, I'm not exactly familiar with it, so it's hard for me to evaluate the probability of occurrence (single account vs. whole system). I would be happy to hear an expert statement about this.

Thank you for your feedback and sharing your thoughts.