Password Policy: Known Passwords Check Proposal: Difference between revisions
Tomasz Muras (talk | contribs) No edit summary |
Tomasz Muras (talk | contribs) No edit summary |
||
Line 1: | Line 1: | ||
= Status = | = Status = | ||
Very initial stage - project proposal. | Very initial stage - project proposal. | ||
= Introduction = | = Introduction = | ||
Moodle 4.0 supports "Password policy" configurable in Site Administration under Security -> Site security settings. | Moodle 4.0 supports "Password policy" configurable in Site Administration under Security -> Site security settings. | ||
The following checks can be applied to measure the password quality: | The following checks can be applied to measure the password quality: | ||
* Password length | * Password length | ||
* Digits | * Digits | ||
Line 16: | Line 12: | ||
* Consecutive identical characters | * Consecutive identical characters | ||
* Password rotation limit | * Password rotation limit | ||
NIST Special Publication 800-63B, [https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver Digital Identity Guidelines] advises on another check: | |||
''When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.'' | |||
''For example, the list MAY include, but is not limited to:'' | |||
* ''Passwords obtained from previous breach corpuses.'' | |||
* ''Dictionary words.'' | |||
* ''Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).'' | |||
* ''Context-specific words, such as the name of the service, the username, and derivatives thereof.'' | |||
''If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.'' | |||
= Approach = | = Approach = | ||
= Unresolved issues/ideas = | = Unresolved issues/ideas = | ||
= Tasks = | = Tasks = |
Revision as of 15:12, 27 April 2022
Status
Very initial stage - project proposal.
Introduction
Moodle 4.0 supports "Password policy" configurable in Site Administration under Security -> Site security settings.
The following checks can be applied to measure the password quality:
- Password length
- Digits
- Lowercase letters
- Uppercase letters
- Non-alphanumeric characters
- Consecutive identical characters
- Password rotation limit
NIST Special Publication 800-63B, Digital Identity Guidelines advises on another check:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.
For example, the list MAY include, but is not limited to:
- Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context-specific words, such as the name of the service, the username, and derivatives thereof.
If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.