Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

The Password Authenticator plugin manages passwords for CO People.

(warning) This plugin is considered Experimental.

Configuration

  1. This is a non-core plugin, see Installing and Enabling Registry Plugins for more information.

Password Policies

Much angst has been generated over the years as security experts try to decide what the appropriate password policies should be. How long should a password be? How many character classes should be required? How often should the password be changed? What types of questions are good for resetting the password?

The Password Authenticator Plugin supports the NIST 800-63B Digital Identity Guidelines. In summary:

  • Passwords must be at least 8 characters in length (§5.1.1.1). The minimum and maximum length of the password is configurable.
  • Password hints are not supported (§5.1.1.2).
  • Password character composition checks are not supported (§5.1.1.1).
  • Passwords do not expire on a scheduled basis (§5.1.1.2). That is, there is no ability to require a password change after (eg) 90 days. (A password can be manually expired or reset.)
  • Passwords may not be reset using knowledge based pre-stored secrets (ie: password reset questions or "backup memorized secrets", §6.1.2.3).

Checking against commonly used or compromised passwords (CO-1501) and password strength meters (CO-1502) are not currently supported.

Password Hashing Formats

Currently the only supported hash format is crypt (PASSWORD_DEFAULT) as implemented by the PHP password_hash function. Additional formats are likely to be supported in future releases.

Supported Provisioners

The LDAP Provisioning Plugin supports writing the hashed password to the userPassword attribute.

  • No labels