Comments (12)
A couple of comments:
- I don't want to manage password dictionaries or add GB of downloads when someone installs LLDAP.
- HIBP will always be optional, due to the requirement for a paying API key.
from lldap.
What about zxcvbn
?
It's a password strength estimator developed by dropbox.
There is a rust library available at: https://github.com/shssoichiro/zxcvbn-rs
Authelia is also using this.
from lldap.
I'd actually make an argument against this suggestion. LDAP is LDAP. Let this tool just focus on providing LDAP and mark this as out of scope for the reasons mentioned here. LDAP should be used with other tools like Authelia (imho) which can do the security checks and password strength enforcement. Personally I'm going as far as disabling the password reset functionality from LLDAP in my config and leaving it to other tools. I think it's good LLDAP offers the option for password reset, but that's as far as it should go - if you can't tell, I like the UNIX philosophy of tools doing one thing and doing it well. This will add a lot of complexity.
EDIT: Never mind, I think many of the issues will be addressed anyway in supporting HIBP which is already being added.
from lldap.
from lldap.
Also, another thing to consider is that the recommendations in terms of security are usually focused on password length alone rather than special characters. If anything, measuring the entropy is best.
Something that I've had as a wip for a while is support for haveibeenpwned to check if the password is in any leak (requires a paying API key though).
One other thing we could consider is if the password is weak, to add a plug for a password manager (or an article explaining the benefits of a password manager).
from lldap.
Some random thoughts on this:
We can , probably even today afaik, have one of those password strength bars for indicators. We coul;d probably pass it (some sort of policy) to the front end for live feedback, but with or without that piece, we could just implement it in the graphql api?
from lldap.
Sending the password to the backend for strength check would defeat the entire purpose of OPAQUE :D
The idea is that you're not trusting the connection/server/storage to protect your password, so you never send it to the server (yes, I know, LDAP sends it in clear). So all the checking has to be on the client side, making it optional (you can just run the lldap_set_user_password
binary and give it an arbitrarily weak password, the server can't check that).
The password strength bar is basically what I meant by measuring the entropy; it's still approximate, but it's better. The idea is that if a user comes up with a 30 character passphrase that doesn't have a number or a special character, that's still fine.
But really, we should push users to use password managers (I'm partial to Bitwarden since it can be self-hosted, but 1Password is also good, or KeyPass + some syncing service).
from lldap.
ignore me, it's too early to remember everything :)
from lldap.
@leanderjanssen nice! I think that's a good candidate for the "measuring entropy"-equivalent category. I think also checking if the password was leaked would help on top.
from lldap.
My main point about creating this issue is that LLDAP will actually become a minimum viable option for users that have simple needs and are looking for an easy drop-in replacement for OpenLDAP. I understand the point behind using Authelia or Keycloak for such "advanced" mechanisms, however I will consider "strong password" requirement as something that should belong the the core project.
I proposed the traditional password policy pattern because I felt that most company users may have this need. However I agree that we may want to be more "up-to-date" for this project and implement part of NIST Special Publication 800-63B. Some important points from this publication :
- Check passwords against breached password lists or dictionaries
- Do not request regular password change
- Password length at least 8 characters (Length > Complexity)
Just my 2 cents, but I didn't find too much mentions for "password strength indicator" in the literature. Password strength indicators that just do "simple mathematical computation" are discouraged by this Troy Hunt blog post.
@leanderjanssen
HIBP lookup may be useful as well, but my humble opinion should be that it must be optional and disabled by default. Should be another separated PR as it may lead to some discussions.
from lldap.
will actually become a minimum viable option for users that have simple needs and are looking for an easy drop-in replacement for OpenLDAP
Given I've just replaced OpenLDAP and LAM with this, I am inclined to agree now and have changed my prior thoughts. If it's possible to do so without adding much complexity or breaking integrations with services that build on the core of LDAP itself (not LLDAP; i.e. what happens if there is a conflict between password policies in both systems?), then it sounds good to me. One small thing to note though:
[it should] .. check passwords against breached password lists or dictionaries
and ...
HIBP lookup may be useful as well, but my humble opinion should be that it must be optional and disabled by default.
... contradict each other. HIBP exact purpose is to check if passwords have been breached. I hope you're not suggesting LLDAP comes with a dictionary of known passwords that then needs to be kept up to date by the maintainers of the project and administrators of installations?
Sending the password to the backend for strength check would defeat the entire purpose of OPAQUE
This is going to be the most important factor. HIBP is the answer to checking if a password has been used as it only uses a hash of the password.
But really, we should push users to use password managers (I'm partial to Bitwarden since it can be self-hosted, but 1Password is also good, or KeyPass + some syncing service).
Also a happy user of Bit/Vaultwarden (I pay and self-host). Highly recommend this approach. I won't know my own password to my domain and I'll encourage any other members to do the same. I only know my password to my password manager, primary email (since every service seems to insist on letting you change a password as easy as clicking a link from an email... 🤦🏼♂️) and my 2FA system.
from lldap.
[it should] .. check passwords against breached password lists or dictionaries
and ...
HIBP lookup may be useful as well, but my humble opinion should be that it must be optional and disabled by default.
... contradict each other. HIBP exact purpose is to check if passwords have been breached. I hope you're not suggesting LLDAP comes with a dictionary of known passwords that then needs to be kept up to date by the maintainers of the project and administrators of installations?
On the contradiction you are pointing out, I really think that the HIBP lookup is a good idea, but I suppose that some people will be reluctant about communicating information about users password to an external server, even if HIBP is really strong about privacy. I just recommended to make it optional, so this will not be a no-go for some LLDAP users.
If LLDAP community wants to go the dictionnary way, I think that LLDAP instance administrators should be responsible peaking and maintaining dictionaries (depending on their own needs and contexts). The maximum I will expect from the project will be to actually recommend some data sources like SecLists.
from lldap.
Related Issues (20)
- Use separate configuration options for database credentials HOT 1
- Display Name not required to be unique. HOT 10
- Format for changing password from inside container. HOT 4
- Samba integration HOT 14
- [Document] more log verbosity control HOT 1
- How to integrate UrBackup and lldap? HOT 10
- Emails do not have a message_id HOT 2
- SMTP configuration with environment variables is inconsistent HOT 2
- Add support handle several objectClass when creating a user
- Improved Image Versioning and Release Cycle HOT 2
- Connecting to an external mysql database in kubernetes cluster HOT 1
- Jellyfin LDAP Plugin Change Password Fails HOT 7
- WEBhook configuration HOT 1
- Sort groups list on user view HOT 1
- TOTP Support HOT 7
- Fallback note for useres with incompatible browsers HOT 3
- uidNumber attribute missing HOT 3
- [docker-mailserver] Hello need help for Dovecot Configuration HOT 9
- Terraform: adding new groups fail HOT 7
- Use Python LDAP3 To retrieve all USers and Groups HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lldap.