Open chThie opened 3 years ago
Eight or more characters when created by humans
If the current requirement is already 12 characters, why would we reduce that? From what I've read, long passwords are one of the most important criteria when choosing safe passwords.
Eight or more characters when created by humans
If the current requirement is already 12 characters, why would we reduce that? From what I've read, long passwords are one of the most important criteria when choosing safe passwords.
This is just the quoted NIST recommendation on this. They recommend 8 or more characters, so 12 is totally fine. I would not propose to change this criteria.
The main point I wanted to address is to exchange the need to use chars from different character sets by blacklisting frequently used passwords.
See also this comment: https://github.com/hzi-braunschweig/SORMAS-Project/issues/3977#issuecomment-760762069
This is a follow-up motivated by https://github.com/hzi-braunschweig/SORMAS-Project/issues/3977#issuecomment-759479499 (from @vidi42), which I will quote in the following.
Situation Description
The default password policy for user accounts that was recently implemented (#3988) via keycloak is:
The reason for this specific policy is a previously defined policy for SORMAS:
The mandatory use of characters from a lot of different character sets for a password can be demanding for users and unexpectedly does not necessarily add a lot of entropy to the set of resulting passwords.
(source: Of Passwords and People: Measuring the Effect of Password-Composition Policies) At the same time easy-to-guess passwords like "Password!1" comply with the policy.
Feature Description
To make it easier for users to choose strong passwords and remember them at the same time, there are modern recommendations for passwords policies which do not restrict users to use different character sets.
The current NIST recommendation e.g. proposes the following guidelines:
(Source: https://www.ekransystem.com/en/blog/password-policy-compliance-checklist) (original NIST source: https://pages.nist.gov/800-63-3/sp800-63b.html (-> 5.1.1.2 Memorized Secret Verifiers))
The main difference to the current password requirements in SORMAS is that they recommend to check user passwords against dictionaries (with e.g. commonly used insecure passwords), while not requiring users to use characters from multiple character sets.
Keycloak seems to support using password blacklists, so I guess this could be implemented with low effort. https://www.keycloak.org/docs/5.0/server_admin/#_password-policies Examples for blacklists that could be used for this purpose can be found here: https://github.com/danielmiessler/SecLists/tree/master/Passwords Probably, there are lists for specific languages as well.
I think it could be worth discussing how to refine the policy oriented towards the NIST recommendations to improve security and user friendliness at the same time.
Possible Alternatives
Additional Information