is there a way to enforce password complexity for local accounts in Indico? Looks like in current implementation it allows anything longer than 4 character, e.g. “12345” is an acceptable password. Our security people are not impressed with that actually, want us to control that somehow.
Hi, so most people use some kind of SSO with Indico if they need stronger security requirements (and/or 2FA).
But adding an option to require longer passwords would indeed be a useful improvement. I disagree with having complexity rules (“1 symbol” etc) beyond that, at least for longer passwords, since having a long passphrase is perfectly fine even if it just consists of normal characters.
you can disagree with security people but you cannot ignore them. In our environment we have strict requirements for Internet-facing services and we need to implement them one way or another. Would it be possible to add an extensible password validation mechanism so that we could implement our own rules instead of default?
Frankly I would not allow weak passwords even in DEBUG mode, dev system can become production one by simply disabling DEBUG, but weak passwords will remain.
Regarding NIST recommendations - it also says “verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised”. If you can implement that recommendation we would be super-happy. Seriously, some reasonable rules are essential, what might work for us is probably:
Min. pass length 8 characters
Require 3 character classes for pass shorter than 16 chars
Anything can go for >16 chars, but it’s better to avoid repetitive or sequential characters too
We do use SSO for users in our organization but we also have to support users from outside and for those users we use local Indico accounts. We do not want to complicate things by adding separate independent registration system, I think everyone will benefit if Indico security improves. It only takes one compromised account to create lots of problems for everyone and no one wants to deal with that. I still think that pluggable or configurable mechanism for pass verification might work better as different organization have different rules and it’s hard to satisfy everyone’s requirements.
We even have separate setup guides, and a typical dev setup is absolutely not suitable for production. So it’s rather unlikely that this happens. We clearly document that DEBUG is meant for development so if people decide to shoot themselves in the foot so be it…
So, checking passwords against the HIBP pwned passwords list? As useful as that is, maybe having this in the indico core is too much… so in the end adding a signal to check a password isn’t such a bad idea, since it’s just one line in the core, and then a plugin can do whatever it wants. A pull request doing that would be appreciated.
We could then ship a default plugin (via indico-plugins) which implements basic password quality checks, and someone else could create a plugin that checks against HaveIBeenPwned as well. It’d be then up to the admin to enable one or more plugins handling this signal.