Hub 2.5 Help

Set a Password Policy

With the Hub authentication module, you can set a password policy that is enforced every time users create or change the password for their Hub accounts.

When you set a password policy for Hub, you increase the overall security of your system:

  • Comply with minimum password requirements defined by your applications, systems, or organization.
  • Protect your Hub instance and connected services from brute-force attacks.
  • Provide users with guidelines that help them create strong passwords that are easy to remember.

Background Information

Computer users have to remember a number of passwords for multiple applications. You've probably been told several times to create a password that is unique and meets specific requirements. Like most people, you choose a pattern that you will remember the next time you log in. Unfortunately, these patterns are as obvious to password crackers as they are easy for you to remember.

The password policies supported by Hub help prevent users from creating weak passwords like these:

PasswordProblem
letmeinContains words or phrases that are commonly used as passwords.
aaaa1Contains repeated characters.
abc123Contains a logical sequence of characters.
1qaz2wsxContains characters that appear in a sequence on the keyboard.
P@ssw0rd1Contains predictable substitutions, such as 3 for e, 0 for o, @ or 4 for a (l33t speak).

Entropy as a Measure of Password Strength

When you set a password policy, you determine the minimum entropy for passwords created by users that log in with Hub authentication. Stronger passwords have higher entropy.

Entropy is an estimation of the number of guesses needed to find a password, measured in entropy bits. Adding one bit of entropy to a password doubles the number of guesses required.

The following table demonstrates the exponential amount of effort required by a brute-force attack to crack a password based on it's entropy.

ScoreGuesses (min)Entropy (min)Time to Guess Password (min)
(online, 10 guesses per second)
Time to Guess Password (min)
(offline, 10,000 guesses per second)
Weak1 million20 bits27 hours1.5 minutes
Good100 million26 bits3 months2.5 hours
Very Strong10 billion33 bits32 years11 days

For the online brute-force attack, you can see how dramatically strong passwords improve the security of your system. Very strong passwords take decades to crack, while the weak password is discovered in a matter of hours. If the password belongs to an account that gives the hacker access to your database, they can analyze it offline in a shorter amount of time.

A single weak password can open the door to unauthorized access. When you set higher requirements for passwords, this door is shut.

Guidelines for Creating Strong Passwords

Hub users can increase the strength of their passwords by following these guidelines:

  • Create a password that consists of more than one word.
    Capitalization and character substitution don't make it harder to guess a password that is based on a single word that can be found in a dictionary. You can greatly increase the entropy of a password by using a string of unrelated words in an unexpected order, even without using special characters.
    When you add another word to a password that is already very strong, it can take centuries to guess.
  • Add a few unpredictable substitutions to make words less recognizable, or insert a special character in the middle of the word. Change the order of the words to avoid a logical pattern.
  • Include lowercase and uppercase alphabetic characters, numbers, and symbols strategically. For example, you can capitalize every fourth letter in your passphrase instead of the first letter of each word.
  • Use a minimum of 12 to 14 characters.
  • Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences, usernames, names of relatives or pets, and biographical information.
  • Avoid using information that is associated with the user of an account, for example, a birthday or anniversary.

When users set or change a password in Hub, the password is compared to and weighed against a database of over 30,000 common passwords, names, surnames, and popular English words. If the password contains any of these, or includes any of the problems described here, Hub identifies the problem and provides guidelines for creating a stronger password.

Hub uses the realist password strength estimation developed by zxcvbn to measure the strength of a password. You can read more about it in the related article.

Instructions

You can set a password policy for the Hub authentication module that determines the minimum password strength required for user accounts.

To set a password policy

  1. In the Access Management section of the Administration menu, select Auth Modules.
  2. Select the Hub authentication module.
    authModulesHub
  3. From the Password Strength drop-down list, select one of the following options:
    OptionDescription
    No PolicyUsers can enter any password.
    WeakPasswords must have a minimum entropy of 20-26 bits.
    GoodPasswords must have a minimum entropy of 26-33 bits.
    Very StrongPasswords must have an entropy greater than 33 bits.

    That's it! The selected policy is enforced every time a user creates or changes a password for their Hub account. Users whose existing passwords do not conform to the new policy are asked to change their password when they log in.

Last modified: 20 September 2016