Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-28699

Password quality checker

    XMLWordPrintable

    Details

      Description

      Forcing or recommending a certain level of entropy in passwords can reduce (debatable) your attack surface, and is a requirement of CWE-521: http://cwe.mitre.org/data/definitions/521.html
      1) Minimum and maximum length (supported in eZ Platform now)
      2) Require mixed character sets (alpha,numeric, special, mixed case) (supported in eZ Platform now)
      3) Do not contain user name
      4) Expiration (supported in eZ Platform now)
      5) No password reuse

      These are easy to do logic-wise. Avoiding dictionary based passwords like "secret" is a little harder to do well, but such simple passwords are anyway mitigated by the above 5 rules, and dictionary words have the advantage that they are easier to remember (when not using password keepers).

      Suggestion: Add a password quality checker for eZ Platform, with configurable criteria, which informs the user of the quality level of their password, and/or refuses to accept passwords below a set threshold. (Note: Configurable criteria are implemented now)

      This can also run during login, so that passwords created before the checker was put in place will also be checked. Optionally it can enforce that bad passwords be changed immediately.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            gunnstein.lye@ez.no Gunnstein Lye
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: