Menu
▾
▴
Re: [Unity-idm-discuss] Password verification
|
From: D B. <ba...@aw...> - 2018-04-25 16:52:30
|
Hi!
On 24/04/18 00:05, Krzysztof Benedyczak wrote:
> Well probably this is bit misleading. The meaning of 0 means that no
> history should be checked previous passwords) but your new candidate for
> a password must be different from the current one still. Also I think
> (but I'd need to verify this) we may have a bug that reconfiguring
> credential to have lower limit (so changing the setting from say 10 to
> 1) in some cases won't work. This latter I need to confirm.>
> Anyway if you create a new credential with 0 then you won't be able to
> set a password to the current one. While this sounds nonsense I think we
> can still allow for this (assuming the setting is 0): to rehash the same
> password after password hashing configuration change.
Not quite sure I understand. Is there a difference between setting
history of 0 and 1 then? Does 1 mean "not the last one and the one
before that"?
> Have you changed your authenticator configuration to use the
> 'SimplePassword' instead of sys:password?
Ah, that's the trick! Thanks!
One thing I'm not sure about yet is: Do I need to manually reset the
passwords for the users (as admin) so that they are able to log in when
the new password restrictions are applied? (I got that impression but
I'm not sure.)
If so, how do I update the admin password without locking myself out of
the admin account?
> Actually we hit this couple of times too. We are thinking how to enable
> such feature without creating super-complex credential config and at the
> same time being able to provide sensible user experience and control.
Yeah, if the user only gets "Password too weak" they have no indication
what it takes to make the password stronger.
Maybe a progress bar above/below the password field that fills up as
more "password strength" gets added to the password?
> I
> even think this can go into next release as we are anyway working on
> making password setting/reset/update user friendly (better UI, feedback)
> for 2.5.
Sounds great!
> Having this defined as "minimum allowed security index" is somewhat
> difficult as admins typically won't know what is a "strong" or "low"
> index. But maybe it is the way to go. I've checked keepass and indeed it
> seems to use dictionary ('alic' has higher score then 'alice'), but this
> is pretty poor dictionary
And also the dictionary would/could depend on the language.
> Thinking in progress - feature request of course accepted.
Thanks!
Best,
D.
|
