Re: [Unity-idm-discuss] Password verification

[Krzysztof B. <kb...@un...>]

W dniu 23.04.2018 o 17:28, D Baum pisze:
> Hi,
>
> I'm trying to change the password requirements for my unity setup
> (knowing my users, if I put too many requirements on them they'll just
> write their passwords down or reuse them; see also NIST's new password
> recommendations, e.g.
> https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-pw0rd).
>
> So far, I haven't had much success: I created a new credential
> definition called SimplePassword with
> Number of previous, forbidden passwords: 0
> and edited the "Password requirement" credential requirement to use it
> instead of sys:password.
>
> However, when I try to update an identity's password credential, the
> password verificator complains that I'm reusing a password (which I am,
> but I've just configured that unity shouldn't worry about it...). How
> can I get unity to allow users to reuse previous passwords?

Well probably this is bit misleading. The meaning of 0 means that no 
history should be checked previous passwords) but your new candidate for 
a password must be different from the current one still. Also I think 
(but I'd need to verify this) we may have a bug that reconfiguring 
credential to have lower limit (so changing the setting from say 10 to 
1) in some cases won't work. This latter I need to confirm.

Anyway if you create a new credential with 0 then you won't be able to 
set a password to the current one. While this sounds nonsense I think we 
can still allow for this (assuming the setting is 0): to rehash the same 
password after password hashing configuration change.

I'll check this up.
> More importantly, when set a new, weak password and try to log in with
> it, authentication is denied.
>
> So something seems to be going on with the password update after
> changing a credential requirement by swapping in a new credential
> definition.
Have you changed your authenticator configuration to use the 
'SimplePassword' instead of sys:password?
> Once I swap back to the original sys:password requirement and change the
> password again, login works fine.
>
>
>
> Somewhat related to the password verification issue, may I add a feature
> request?
> In times of "correct battery horse staple", could you introduce a
> measure of password strength that also takes length into account? So
> that users can e.g. have 30+ character passwords but with only one
> character class OR 10 character passwords with more character classes.
> I've seen KeePass use some sort of entropy (password strength is
> measured in bits), probably using a dictionary to detect frequently used
> character combinations (-> words).
> The admin could then configure the required entropy of the passwords and
> let the users decide themselves whether they want longer or more random
> passwords.

Actually we hit this couple of times too. We are thinking how to enable 
such feature without creating super-complex credential config and at the 
same time being able to provide sensible user experience and control. I 
even think this can go into next release as we are anyway working on 
making password setting/reset/update user friendly (better UI, feedback) 
for 2.5.

Having this defined as "minimum allowed security index" is somewhat 
difficult as admins typically won't know what is a "strong" or "low" 
index. But maybe it is the way to go. I've checked keepass and indeed it 
seems to use dictionary ('alic' has higher score then 'alice'), but this 
is pretty poor dictionary - I was able to easily find real words, 5 
chars long, which had same score as random strings (and of course way 
higher then 'alice'). So this index meaning is bit fuzzy.

Thinking in progress - feature request of course accepted.

Thanks
Krzysztof