Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-28699

Password quality checker

    XMLWordPrintable

    Details

      Description

      Forcing or recommending a certain level of entropy in passwords can reduce (debatable) your attack surface, and is a requirement of CWE-521: http://cwe.mitre.org/data/definitions/521.html
      1) Minimum and maximum length
      2) Require mixed character sets (alpha,numeric, special, mixed case)
      3) Do not contain user name
      4) Expiration
      5) No password reuse

      These are easy to do logic-wise (except expiration, which may require a schema update). Avoiding dictionary based passwords like "secret" is a little harder to do well, but such simple passwords are anyway mitigated by the above 5 rules, and dictionary words have the advantage that they are easier to remember (when not using password keepers).

      Suggestion: Add a password quality checker for eZ Platform, with configurable criteria, which informs the user of the quality level of their password, and/or refuses to accept passwords below a set threshold.

      This can also run during login, so that passwords created before the checker was put in place will also be checked. Optionally it can enforce that bad passwords be changed immediately.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            gunnstein.lye@ez.no Gunnstein Lye
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: