Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

[Web] - Weak Password Policy

Description

Overview

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

An authentication mechanism is only as strong as its credentials. For this reason, it is important to require users to have strong passwords. Lack of password complexity significantly reduces the search space when trying to guess user's passwords, making brute-force attacks easier.

Browser URL

https://onmspentest.eastus.cloudapp.azure.com/opennms/login.jsp

Steps To Reproduce

  • Enter a weak password (i.e "12345", "11111",) in the change password page.

  • Observe that the application accepts weak/easily guessable passwords during password change.

  • Now the user is able to log in using the weak password in the Web Applications/API.

Suggested Fix

1. Allow all characters to be used for passwords to avoid shortening the key space for brute-force guessing.

2. Do not impose character restrictions such as "must have at least X number of specific character type" in the password. This will shorten the key space for brute-force guessing.
3. Disallow short password lengths. 12 characters is generally considered a good minimum password length.
4. Allow for a large maximum password length. The typical maximum length is 128 characters. It is important to set a maximum password length to prevent long password Denial of Service attacks.
5. Do not advertise the maximum password length as this will shorten the key space for brute-force guessing.
6. Disallow previous passwords from being used.
7. Disallow the password being the same as the email or username.
8. Avoid allowing users to set guessable passwords and ensure that at-least one lower case, one uppercase, one special character and one numeric values are used.
9. The maximum password length should not be set too low, as it will prevent users from creating passphrase.
10. Include password strength meter to help users create a more complex password and block common and previously breached passwords.
11. Pwned Passwords(https://haveibeenpwned.com/Passwords) is a service where passwords can be checked against previously breached passwords. You can host it yourself or use API(https://haveibeenpwned.com/API/v2#PwnedPasswords).
12. Check the password complexity in https://www.passwordmonster.com/.

Cobalt URL

#PT9265_4

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Lars Schreiber July 19, 2022 at 7:49 PM

I would absolutely recommend that. I've talked to Jeff about this and I'll create a separate ticket.

Benjamin Reed July 15, 2022 at 12:31 PM

FYI, we have OpenNMS installations that are on-prem without access to the Public Internet so no external APIs (like haveibeenpwned) should be required for validating passwords. (If it can be optionally done, with a quick timeout where failure to connect doesn't stop password updates, that's probably OK)

Fixed

Details

Assignee

Reporter

Labels

HB Backlog Status

Story Points

Sprint

Fix versions

Priority

Parent

PagerDuty

Created February 4, 2022 at 10:27 PM
Updated August 4, 2022 at 2:09 PM
Resolved July 20, 2022 at 2:26 PM