Predix_Logo
  • Categories
    • Questions
    • Predix | Updates
      • Pricing
      • Product
    • Deloitte - Private
    • How-To
    • Accenture-Private
  • Explore
    • Topics
    • Questions
    • Articles
    • Feedback or Feature Requests
  • Sign in
  • Home /
  • Predix | Updates /
  • Product /
avatar image
  • Home /
  • Predix | Updates /
  • Product /

* Updated UAA Password Policy

  • Export to PDF
Priya Bandaru created · Oct 31, 2017 at 04:30 PM · edited · Nov 16, 2017 at 02:33 PM
1

Predix is enhancing security and adding a new UAA password policy. Starting December 1st, 2017, any password reset or user/password creation will follow the new password policy regardless of whether it is done via the Cloud Foundry CLI, UAA front-end pages, UAA dashboard, or any User Management application that uses UAA as the back end. This policy won't impact OAuth 2.0 client secrets.

The password policy that will be enforced is as follows:

minLength: 8
maxLength: 15
requireUpperCaseCharacter: 2
requireLowerCaseCharacter: 1
requireDigit: 2
requireSpecialCharacter: 1
expirePasswordInMonths: 0

The Same policy applies to Platform UAA accounts accessible via predix.io. Later on, we will require password accounts expiration as well.

Password rotation policy will not be enforced and can be enforced in the future.


FAQ:

Q: When will new Password Policy be enforced?

December 1st, 2017

Can teams revert password policy enforcement?

Yes, password policy is configured by default on all UAA zones since enforcement. However, teams that don't want to be compliant with GE policies and general security recommendations can overwrite password policy enforcement using UAA dashboard. This action is not advised and not recommended by our Security team.

Will the password policy change affect any federated accounts like GESSO?

No, this policy change impacts local UAA user accounts only. Any federation accounts will follow their IdP policy like GE SSO does.

The UAA service will be available during the maintenance window and no downtime is expected, however, if you experience any issue, please file a ticket at https://predix.io/support.

thub.nodes.view.add-new-comment
uaapassword
Add comment · Show 4
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image bill.boumphrey@ge.com · Nov 01, 2017 at 10:40 AM 0
Share

The goalposts have moved a bit on this one.

The latest NIST guidelines (NIST.SP.800-63b) section 5.1.1.2 now states "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets"

However, I appreciate GE is following what was standard practice.

avatar image jim kohli · Nov 01, 2017 at 01:45 PM 0
Share

Is there some evidence that this level of manual complexity offers additional security?

avatar image bill.boumphrey@ge.com · Nov 03, 2017 at 06:17 AM 1
Share

@Jim. Actually .. the opposite. The belief is that complex passwords may reduce security, since they encourage people to write them down or reuse them.

See https://sciencealert.com/the-guy-who-wrote-the-book-on-passwords-now-wants-to-chuck-it-out

avatar image Andy Johns · Jan 08, 2018 at 01:06 PM 0
Share

Relevant XKCD

To encourage better password habits, the max length should be considerably longer, with flexible character requirements based on that length. If your password is short, then you need upper/lower/digit/special characters, but the longer the password is the more relaxed those other requirements become.....

Article

Contributors

avatar image avatar image
Follow

Follow this article

90 People are following this .

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Navigation

* Updated UAA Password Policy

Related Articles

Guide: Authentication with Passport

GE Monogram
  • Legal
  • Cookies
  • Forum Terms
  • Contact Us
  • Copyright © 2017 General Electric Company. All rights reserved.


Enterprise
Social Q&A

  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Submit your feedback or feature request
  • Categories
  • Questions
  • Predix | Updates
    • Pricing
    • Product
  • Deloitte - Private
  • How-To
  • Accenture-Private
  • Explore
  • Topics
  • Questions
  • Articles
  • Feedback or Feature Requests