Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

(warning) This plugin is considered Experimental.

Panel

Table of Contents

Installation

  1. This is a non-core plugin, see Installing and Enabling Registry Plugins for more information.
  2. This plugin requires PHP 7 or later (for random_bytes).

Password Source Mode

Beginning with Registry v3.3.0, each instantiated PasswordAuthenticator is configured with a Password Source mode, indicating how the Passwords associated with the Authenticator are created. Supported modes are

  • Autogenerate: The Password is autogenerated on demand, and displayed once.
  • External: The Password is managed by an external component via the REST API.
  • Self Select: The Password is self selected by the individual. This is the mode for all PasswordAuthenticators instantiated prior to v3.3.0.

Autogenerate

Autogenerated Passwords are established by visiting the Manage link for the appropriate Authenticator. The autogenerated Password will be displayed once when it is generated, afterwards the Password cannot be recovered through the Registry interface and a new Password must be generated. Autogenerated Passwords are suitable for use as Service Tokens.

The maximum length of the Password can be specified, though note that generated passwords may occasionally be 1 or 2 characters shorter. Dashes will be inserted in the generated password after every fourth character to increase readability, but do not count towards the maximum Password length.

External

External Passwords are expected to be entirely managed by another component via the REST API. The use of Unprivileged API Users may be supported in a future release (CO-1874).

Self Select

Self Selected Passwords are managed directly by the individual, in accordance with the configured Password Policies (below).

Password Policies

Much angst has been generated over the years as security experts try to decide what the appropriate password policies should be. How long should a password be? How many character classes should be required? How often should the password be changed? What types of questions are good for resetting the password?

...

Checking against commonly used or compromised passwords (CO-1501) and password strength meters (CO-1502) are not currently supported.

These policies only apply to Self Selected Passwords.

Password Hashing Formats

The following hashing formats are currently supported:

  1. Crypt, as implemented by the PHP password_hash function using PASSWORD_DEFAULT. This is the strongest hashing option, but is only suitable for use in PHP based applications that implement password_verify. This format is enabled by default and cannot be disabled since it is used internally by the plugin.
  2. SSHA, or Salted SHA-1. This option is suitable for writing to LDAP servers. Available as of Registry v3.2.0.
  3. Plaintext, or unhashed. This option is normally not recommended, but may be suitable for select scenarios where a password must be provisioned in plaintext to a legacy downstream system.
  4. External. This option indicates hashing of the Password is handled by an external component, for use with the External Password Source Mode, and can only be set via the REST API. Available as of Registry v3.3.0.

Additional formats are likely to be supported in future releases.

...