The Password Authenticator plugin manages passwords for CO People.
This plugin is considered Experimental.
This plugin requires PHP 7 or later (for random_bytes).
Beginning with Registry v3.3.0, each instantiated PasswordAuthenticator is configured with a Password Source mode, indicating how the Passwords associated with the Authenticator are created. Supported modes are
Autogenerated Passwords are established by visiting the Manage link for the appropriate Authenticator. The autogenerated Password will be displayed once when it is generated, afterwards the Password cannot be recovered through the Registry interface and a new Password must be generated. Autogenerated Passwords are suitable for use as Service Tokens.
The maximum length of the Password can be specified, though note that generated passwords may occasionally be 1 or 2 characters shorter. Dashes will be inserted in the generated password after every fourth character to increase readability, but do not count towards the maximum Password length.
External Passwords are expected to be entirely managed by another component via the REST API. The use of Unprivileged API Users may be supported in a future release (CO-1874).
Self Selected Passwords are managed directly by the individual, in accordance with the configured Password Policies (below).
Much angst has been generated over the years as security experts try to decide what the appropriate password policies should be. How long should a password be? How many character classes should be required? How often should the password be changed? What types of questions are good for resetting the password?
The Password Authenticator Plugin supports the NIST 800-63B Digital Identity Guidelines. In summary:
Checking against commonly used or compromised passwords (CO-1501) and password strength meters (CO-1502) are not currently supported.
These policies only apply to Self Selected Passwords.
The following hashing formats are currently supported:
Additional formats are likely to be supported in future releases.
Multiple hashing formats may be enabled concurrently. When a Password is set or changed, the password will be hashed in each enabled format.
The LDAP Provisioning Plugin supports writing the hashed password to the userPassword
attribute. As of Registry v3.2.0, the plugin will only write SSHA hashed values to the LDAP record.