Predix is enhancing security and adding a new UAA password policy. Starting December 1st, 2017, any password reset or user/password creation will follow the new password policy regardless of whether it is done via the Cloud Foundry CLI, UAA front-end pages, UAA dashboard, or any User Management application that uses UAA as the back end. This policy won't impact OAuth 2.0 client secrets.
The password policy that will be enforced is as follows:
minLength: 8
maxLength: 15
requireUpperCaseCharacter: 2
requireLowerCaseCharacter: 1
requireDigit: 2
requireSpecialCharacter: 1
expirePasswordInMonths: 0
The Same policy applies to Platform UAA accounts accessible via predix.io. Later on, we will require password accounts expiration as well.
Password rotation policy will not be enforced and can be enforced in the future.
December 1st, 2017
Yes, password policy is configured by default on all UAA zones since enforcement. However, teams that don't want to be compliant with GE policies and general security recommendations can overwrite password policy enforcement using UAA dashboard. This action is not advised and not recommended by our Security team.
No, this policy change impacts local UAA user accounts only. Any federation accounts will follow their IdP policy like GE SSO does.
The UAA service will be available during the maintenance window and no downtime is expected, however, if you experience any issue, please file a ticket at https://predix.io/support.
The goalposts have moved a bit on this one.
The latest NIST guidelines (NIST.SP.800-63b) section 5.1.1.2 now states "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets"
However, I appreciate GE is following what was standard practice.
Is there some evidence that this level of manual complexity offers additional security?
@Jim. Actually .. the opposite. The belief is that complex passwords may reduce security, since they encourage people to write them down or reuse them.
See https://sciencealert.com/the-guy-who-wrote-the-book-on-passwords-now-wants-to-chuck-it-out
To encourage better password habits, the max length should be considerably longer, with flexible character requirements based on that length. If your password is short, then you need upper/lower/digit/special characters, but the longer the password is the more relaxed those other requirements become.....