Menu
▾
▴
Re: [Unity-idm-discuss] Password verification
|
From: Krzysztof B. <kb...@un...> - 2018-04-26 18:03:52
|
Hi, W dniu 25.04.2018 o 18:52, D Baum pisze: > Hi! > > On 24/04/18 00:05, Krzysztof Benedyczak wrote: >> Well probably this is bit misleading. The meaning of 0 means that no >> history should be checked previous passwords) but your new candidate for >> a password must be different from the current one still. Also I think >> (but I'd need to verify this) we may have a bug that reconfiguring >> credential to have lower limit (so changing the setting from say 10 to >> 1) in some cases won't work. This latter I need to confirm.> >> Anyway if you create a new credential with 0 then you won't be able to >> set a password to the current one. While this sounds nonsense I think we >> can still allow for this (assuming the setting is 0): to rehash the same >> password after password hashing configuration change. > Not quite sure I understand. Is there a difference between setting > history of 0 and 1 then? Does 1 mean "not the last one and the one > before that"? So the current one (which you call last one I think) is always checked and the config number tells how many additional should be checked. >> Have you changed your authenticator configuration to use the >> 'SimplePassword' instead of sys:password? > Ah, that's the trick! Thanks! > > One thing I'm not sure about yet is: Do I need to manually reset the > passwords for the users (as admin) so that they are able to log in when > the new password restrictions are applied? (I got that impression but > I'm not sure.) > > If so, how do I update the admin password without locking myself out of > the admin account? There is huge difference between updating credential settings and changing the credential. In the first case you basically have to do nothing special: if you change configuration of the password that some existing passwords do not conform, those will be treated as outdated on the first subseqent use (and user will have to change the password). If you however want to start using a new password credential (e.g. used fooPass, now using barPass) you just need to make sure that your users have this password. >> Actually we hit this couple of times too. We are thinking how to enable >> such feature without creating super-complex credential config and at the >> same time being able to provide sensible user experience and control. > Yeah, if the user only gets "Password too weak" they have no indication > what it takes to make the password stronger. > Maybe a progress bar above/below the password field that fills up as > more "password strength" gets added to the password? yes, and more :-) Thanks, Krzysztof |
