search

indigo-iam / iam

INDIGO Identity and Access Management Service
https://indigo-iam.github.io/
Other
99 stars 43 forks source link

Local accounts: check password quality #544

Closed jouvin closed 3 weeks ago

jouvin commented 1 year ago

Hi,

Currently, when defining the password for an IAM account, the only requirement is that the password is at least 6 characters. This looks very weak, considering that IAM is a central authentication service giving potentially access to a lot of resources. If it is not necessarily a problem when you disable/hide local account support, it is a major one if you enable IAM login through user/pwd.

An urgent first step would be to require at least 8 characters and to check for a mix of letters, characters and symbols. On the long term, the ability to define the criteria, at least the minimum length, would be good. And the ability to check the password with a service like https://haveibeenpwned.com would be great!

Cheers,

Michel

enricovianello commented 1 year ago

@giacomini what do you think can be the right requirement for the password? Do you agree with:

As a note about the haveibeenpwned service, I can report the follow.

The HaveIBeenPwned password check does not work by transmitting the password to their site. Only the first 5 characters of the hashed password are transmitted and HIBP then returns all the suffix-hashes for known leaked passwords, along with a number indicating how often they've been found in public leaks, allowing you to locally compare those against the full hash of your password. (The method is called k-anonymity and described further here: https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/ ) Neither your password, nor the full SHA-1 hash ever leave your system.

Example: "Password"

SHA-1 hash: 8be3c943b1609fffbfc51aad666d0a04adf83c9d
API URL: https://api.pwnedpasswords.com/range/8be3c

Returns among others this suffix:

943B1609FFFBFC51AAD666D0A04ADF83C9D:130999

So "Password" has been found in leaks 130999 times, and is not a good password to use.

Example: "tun834v9y8n347mv834yv34"

SHA-1 hash: d896bd51f8362d72e90f00617f16bbbd571e4aa0
API URL: https://api.pwnedpasswords.com/range/d896b

Checking for the suffix "d51f8362d72e90f00617f16bbbd571e4aa0" in the returned hashes returns no results, so "tun834v9y8n347mv834yv34" was not found in any leaks (yet).

I agree also this kind of check can be added. What do you think @giacomini ?

jouvin commented 1 year ago

@enricovianello about the minimum requirements, I think a mix of alpha, numeric and symbols with a min length of is a good starting point. In an ideal world, you would allow site to disabled each character group (with a variable in the instance config file) and define the minimum length (with a hardcoded min at 6 or 8?) but probably it is not so useful and you could wait that somebody comes with a real use case.