Date
1 - 5 of 5
UAA : Is anyone utilizing the Password Score Feature
|
Sree Tummidi
Hi All,
The UAA team is in the process of implementing Password Policy feature <https://www.pivotaltracker.com/story/show/82182984> for users stored in UAA. The following properties around password strength will be exposed in the YML configuration. #passwordPolicy: # minLength: 8 # requireAtLeastOneSpecialCharacter: true # requireAtLeastOneUppercaseCharacter: true # requireAtLeastOneLowercaseCharacter: true # requireAtLeastOneDigit: true The Password Policy feature is being implemented to support multi-tenant UAA. Each Tenant/Identity Zone will get its own password policy. The password policy for the default zone will be configurable via YML. UAA currently supports the *zxcvbn <https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/>* style password score. This is currently exposed via the following properties in the YML configuration file. There is an end point <https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#query-the-strength-of-a-password-post-password-score> for querying the status of the same. password-policy: required-score: <int> We would like to understand if this password score feature is being utilized at all. We don't plan on making this feature multi-tenant and would like to drop this in favor of the new approach which is much more granular and supports multi tenancy. Thanks, Sree Tummidi Sr. Product Manager Identity - Pivotal Cloud Foundry |
|
|
|
Nicholas Calugar
Hi Sree,
toggle quoted message
Show quoted text
Not sure if this is possible, but maybe instead of requireAtLeastOneSpecialCharacter boolean, you could do minSpecialCharacters int (0-n)? This would allow more rigorous password policies. Nick — Nicholas Calugar On Wed, Jun 3, 2015 at 12:00 PM, Sree Tummidi <stummidi(a)pivotal.io> wrote:
Hi All, |
|
|
|
Josh Ghiloni
In that vein, it would be nice to be able to specify which characters constitute “special” and to have a list of disallowed characters.
toggle quoted message
Show quoted text
Josh Ghiloni Senior Consultant 303.932.2202 o | 303.590.5427 m | 303.565.2794 f jghiloni(a)ecsteam.com<mailto:jghiloni(a)ecsteam.com> ECS Team Technology Solutions Delivered ECSTeam.com<http://ECSTeam.com> On Jun 3, 2015, at 13:20, Nicholas Calugar <ncalugar(a)pivotal.io<mailto:ncalugar(a)pivotal.io>> wrote:
Hi Sree, Not sure if this is possible, but maybe instead of requireAtLeastOneSpecialCharacter boolean, you could do minSpecialCharacters int (0-n)? This would allow more rigorous password policies. Nick — Nicholas Calugar On Wed, Jun 3, 2015 at 12:00 PM, Sree Tummidi <stummidi(a)pivotal.io<mailto:stummidi(a)pivotal.io>> wrote: Hi All, The UAA team is in the process of implementing Password Policy feature<https://www.pivotaltracker.com/story/show/82182984> for users stored in UAA. The following properties around password strength will be exposed in the YML configuration. #passwordPolicy: # minLength: 8 # requireAtLeastOneSpecialCharacter: true # requireAtLeastOneUppercaseCharacter: true # requireAtLeastOneLowercaseCharacter: true # requireAtLeastOneDigit: true The Password Policy feature is being implemented to support multi-tenant UAA. Each Tenant/Identity Zone will get its own password policy. The password policy for the default zone will be configurable via YML. UAA currently supports the zxcvbn<https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/> style password score. This is currently exposed via the following properties in the YML configuration file. There is an end point<https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#query-the-strength-of-a-password-post-password-score> for querying the status of the same. password-policy: required-score: <int> We would like to understand if this password score feature is being utilized at all. We don't plan on making this feature multi-tenant and would like to drop this in favor of the new approach which is much more granular and supports multi tenancy. Thanks, Sree Tummidi Sr. Product Manager Identity - Pivotal Cloud Foundry _______________________________________________ cf-dev mailing list cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org> https://lists.cloudfoundry.org/mailman/listinfo/cf-dev |
|
|
|
Winkler, Steve (GE Digital) <steve.winkler@...>
+1
toggle quoted message
Show quoted text
From: Nicholas Calugar <ncalugar(a)pivotal.io<mailto:ncalugar(a)pivotal.io>> Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>> Date: Wednesday, June 3, 2015 at 12:20 PM To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>> Cc: CF Developers Mailing List <cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>> Subject: Re: [cf-dev] UAA : Is anyone utilizing the Password Score Feature Hi Sree, Not sure if this is possible, but maybe instead of requireAtLeastOneSpecialCharacter boolean, you could do minSpecialCharacters int (0-n)? This would allow more rigorous password policies. Nick — Nicholas Calugar On Wed, Jun 3, 2015 at 12:00 PM, Sree Tummidi <stummidi(a)pivotal.io<mailto:stummidi(a)pivotal.io>> wrote:
Hi All, The UAA team is in the process of implementing Password Policy feature<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pivotaltracker.com_story_show_82182984&d=AwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=8jfAtIC0enmugg7W93b4MxFNUdrneLwx6fyzU0yk9a8&m=wNYpag6E0rnGEhlO0X3GJ5d5Hz4fOBCSAOh8yveJ_mw&s=_wh20YK4sGow4AtgdhZx-n4fIJ4x2UiApoSSG8jVOCs&e=> for users stored in UAA. The following properties around password strength will be exposed in the YML configuration. #passwordPolicy: # minLength: 8 # requireAtLeastOneSpecialCharacter: true # requireAtLeastOneUppercaseCharacter: true # requireAtLeastOneLowercaseCharacter: true # requireAtLeastOneDigit: true The Password Policy feature is being implemented to support multi-tenant UAA. Each Tenant/Identity Zone will get its own password policy. The password policy for the default zone will be configurable via YML. UAA currently supports the zxcvbn<https://urldefense.proofpoint.com/v2/url?u=https-3A__blogs.dropbox.com_tech_2012_04_zxcvbn-2Drealistic-2Dpassword-2Dstrength-2Destimation_&d=AwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=8jfAtIC0enmugg7W93b4MxFNUdrneLwx6fyzU0yk9a8&m=wNYpag6E0rnGEhlO0X3GJ5d5Hz4fOBCSAOh8yveJ_mw&s=b9G7EEOsCOiXnLJMJTaDbWyjwr386z7IQ5_5wvRZ6ew&e=> style password score. This is currently exposed via the following properties in the YML configuration file. There is an end point<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cloudfoundry_uaa_blob_master_docs_UAA-2DAPIs.rst-23query-2Dthe-2Dstrength-2Dof-2Da-2Dpassword-2Dpost-2Dpassword-2Dscore&d=AwMFaQ&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=8jfAtIC0enmugg7W93b4MxFNUdrneLwx6fyzU0yk9a8&m=wNYpag6E0rnGEhlO0X3GJ5d5Hz4fOBCSAOh8yveJ_mw&s=JO1Yuq0GHq5FoW8uEHIMP-UNRnynikwtdSksZ0gklXk&e=> for querying the status of the same. password-policy: required-score: <int> We would like to understand if this password score feature is being utilized at all. We don't plan on making this feature multi-tenant and would like to drop this in favor of the new approach which is much more granular and supports multi tenancy. Thanks, Sree Tummidi Sr. Product Manager Identity - Pivotal Cloud Foundry |
|
|
|
Sree Tummidi
On the Password Score feature, I haven't yet received any updates on
whether its being used at all. Please let us know if anyone is using the same. Thank you Nick/Steve/Josh for the feedback !! I agree with the approach of having Min Special Chars and specifying the allowed special chars. We are following the OWASP model. The list of allowed characters is here <https://www.owasp.org/index.php/Password_special_characters> I will update the policy requirements on my side. -Sree On Wed, Jun 3, 2015 at 12:39 PM, Winkler, Steve (GE Global Research) < steve.winkler(a)ge.com> wrote:
|
|
|