[Unity-idm-discuss] Password verification

[D B. <ba...@aw...>]

Hi,

I'm trying to change the password requirements for my unity setup
(knowing my users, if I put too many requirements on them they'll just
write their passwords down or reuse them; see also NIST's new password
recommendations, e.g.
https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-pw0rd).

So far, I haven't had much success: I created a new credential
definition called SimplePassword with
Number of previous, forbidden passwords: 0
and edited the "Password requirement" credential requirement to use it
instead of sys:password.

However, when I try to update an identity's password credential, the
password verificator complains that I'm reusing a password (which I am,
but I've just configured that unity shouldn't worry about it...). How
can I get unity to allow users to reuse previous passwords?

More importantly, when set a new, weak password and try to log in with
it, authentication is denied.

So something seems to be going on with the password update after
changing a credential requirement by swapping in a new credential
definition.

Once I swap back to the original sys:password requirement and change the
password again, login works fine.



Somewhat related to the password verification issue, may I add a feature
request?
In times of "correct battery horse staple", could you introduce a
measure of password strength that also takes length into account? So
that users can e.g. have 30+ character passwords but with only one
character class OR 10 character passwords with more character classes.
I've seen KeePass use some sort of entropy (password strength is
measured in bits), probably using a dictionary to detect frequently used
character combinations (-> words).
The admin could then configure the required entropy of the passwords and
let the users decide themselves whether they want longer or more random
passwords.

Cheers,
D.