Re: UAA : Is anyone utilizing the Password Score Feature


Nicholas Calugar
 

Hi Sree,




Not sure if this is possible, but maybe instead of requireAtLeastOneSpecialCharacter boolean, you could do minSpecialCharacters int (0-n)? This would allow more rigorous password policies. 







Nick




Nicholas Calugar

On Wed, Jun 3, 2015 at 12:00 PM, Sree Tummidi <stummidi(a)pivotal.io> wrote:

Hi All,
The UAA team is in the process of implementing Password Policy feature
<https://www.pivotaltracker.com/story/show/82182984> for users stored in
UAA.
The following properties around password strength will be exposed in the
YML configuration.
#passwordPolicy:
# minLength: 8
# requireAtLeastOneSpecialCharacter: true
# requireAtLeastOneUppercaseCharacter: true
# requireAtLeastOneLowercaseCharacter: true
# requireAtLeastOneDigit: true
The Password Policy feature is being implemented to support multi-tenant
UAA. Each Tenant/Identity Zone will get its own password policy. The
password policy for the default zone will be configurable via YML.
UAA currently supports the *zxcvbn
<https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/>*
style
password score. This is currently exposed via the following properties in
the YML configuration file. There is an end point
<https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#query-the-strength-of-a-password-post-password-score>
for
querying the status of the same.
password-policy:
required-score: <int>
We would like to understand if this password score feature is being
utilized at all. We don't plan on making this feature multi-tenant and
would like to drop this in favor of the new approach which is much more
granular and supports multi tenancy.
Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.