Re: UAA : Is anyone utilizing the Password Score Feature


Sree Tummidi
 

On the Password Score feature, I haven't yet received any updates on
whether its being used at all.
Please let us know if anyone is using the same.

Thank you Nick/Steve/Josh for the feedback !!
I agree with the approach of having Min Special Chars and specifying the
allowed special chars.
We are following the OWASP model. The list of allowed characters is here
<https://www.owasp.org/index.php/Password_special_characters>
I will update the policy requirements on my side.

-Sree


On Wed, Jun 3, 2015 at 12:39 PM, Winkler, Steve (GE Global Research) <
steve.winkler(a)ge.com> wrote:


+1


From: Nicholas Calugar <ncalugar(a)pivotal.io<mailto:ncalugar(a)pivotal.io>>
Reply-To: "Discussions about Cloud Foundry projects and the system
overall." <cf-dev(a)lists.cloudfoundry.org<mailto:
cf-dev(a)lists.cloudfoundry.org>>
Date: Wednesday, June 3, 2015 at 12:20 PM
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>>
Cc: CF Developers Mailing List <cf-dev(a)lists.cloudfoundry.org<mailto:
cf-dev(a)lists.cloudfoundry.org>>
Subject: Re: [cf-dev] UAA : Is anyone utilizing the Password Score Feature

Hi Sree,

Not sure if this is possible, but maybe instead of
requireAtLeastOneSpecialCharacter boolean, you could do
minSpecialCharacters int (0-n)? This would allow more rigorous password
policies.


Nick


Nicholas Calugar



On Wed, Jun 3, 2015 at 12:00 PM, Sree Tummidi <stummidi(a)pivotal.io<mailto:
stummidi(a)pivotal.io>> wrote:

Hi All,

The UAA team is in the process of implementing Password Policy feature<
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pivotaltracker.com_story_show_82182984&d=AwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=8jfAtIC0enmugg7W93b4MxFNUdrneLwx6fyzU0yk9a8&m=wNYpag6E0rnGEhlO0X3GJ5d5Hz4fOBCSAOh8yveJ_mw&s=_wh20YK4sGow4AtgdhZx-n4fIJ4x2UiApoSSG8jVOCs&e=>
for users stored in UAA.
The following properties around password strength will be exposed in the
YML configuration.

#passwordPolicy:
# minLength: 8
# requireAtLeastOneSpecialCharacter: true
# requireAtLeastOneUppercaseCharacter: true
# requireAtLeastOneLowercaseCharacter: true
# requireAtLeastOneDigit: true

The Password Policy feature is being implemented to support multi-tenant
UAA. Each Tenant/Identity Zone will get its own password policy. The
password policy for the default zone will be configurable via YML.


UAA currently supports the zxcvbn<
https://urldefense.proofpoint.com/v2/url?u=https-3A__blogs.dropbox.com_tech_2012_04_zxcvbn-2Drealistic-2Dpassword-2Dstrength-2Destimation_&d=AwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=8jfAtIC0enmugg7W93b4MxFNUdrneLwx6fyzU0yk9a8&m=wNYpag6E0rnGEhlO0X3GJ5d5Hz4fOBCSAOh8yveJ_mw&s=b9G7EEOsCOiXnLJMJTaDbWyjwr386z7IQ5_5wvRZ6ew&e=>
style password score. This is currently exposed via the following
properties in the YML configuration file. There is an end point<
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cloudfoundry_uaa_blob_master_docs_UAA-2DAPIs.rst-23query-2Dthe-2Dstrength-2Dof-2Da-2Dpassword-2Dpost-2Dpassword-2Dscore&d=AwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=8jfAtIC0enmugg7W93b4MxFNUdrneLwx6fyzU0yk9a8&m=wNYpag6E0rnGEhlO0X3GJ5d5Hz4fOBCSAOh8yveJ_mw&s=JO1Yuq0GHq5FoW8uEHIMP-UNRnynikwtdSksZ0gklXk&e=>
for querying the status of the same.

password-policy:

required-score: <int>

We would like to understand if this password score feature is being
utilized at all. We don't plan on making this feature multi-tenant and
would like to drop this in favor of the new approach which is much more
granular and supports multi tenancy.

Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry


_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.