Ghost: [alpha.20] Ghost allows trivial user passwords
Issue Summary
Ghost allows setting trivial user passwords like "aaaaaaaa" or "password". In terms of security it's a big "NO". Here's my recommendation:
- Implement password policy that requires min. 8 character password with min. 1 character from 3 of 4 following character groups:
- lowercase letters
- uppercase letters
- numbers
- special characters
So for example acceptable password would be "Poland17" but not "poland17".
Additionally you may consider:
- downloading dictionary of most popular passwords and checking against them
- adding password strength indicator
Steps to Reproduce
- Go to team menu
- Try to set simple 8 character password
Technical details:
Ghost Version: alpha.20
ghost-cli Version: 1.0.0-alpha.16
Node Version: v6.10.0
OS: Debian 3.16.39-1+deb8u1
Database: MariaDB 10.0.29 & SQLite3
PaszaVonPomiot
All 3 comments
Hi @PaszaVonPomiot, thanks for the report.
Sites that enforce character rules for passwords as you suggest, often get in the way of truly secure passwords. I don't agree that "Poland17" is more secure than "poland17" or a good password. A good password might be "I want to go to Poland on holiday next year". I often use 30+ character passwords but trip up sites that want me to include a special character.
There are some smart technologies around for doing deeper checks against passwords, and we have experimented with them in the past. The problem with them is size, they add considerable bloat with code that is only relevant to a tiny part of the application.
Ember has since provided us with a way to lazy-load resources, so that the bloat doesn't impact the entire application, and so this is something on our radar to revisit in future. For now, there are no immediate plans to add this to the alpha, so I'm going to close this report.
ErisDS
on 1 May 2017
Hi @ErisDS , of course "Poland17" is a weak password because it's dictionary one. I was just explaining the principle with 3 character groups. If you add a dictionary on top of that then you will have very decent password policy. If you are able to implement something better according to "NIST digital authentication guidelines" that would be awesome. Just please do not disregard this topic (in alpha it's ok I guess) when you go live in production. Thanks!
PaszaVonPomiot
on 3 May 2017
@PaszaVonPomiot the most recent NIST password rules have composition rules such as you're describing on the DON'T DO list for the reasons that @ErisDS pointed out. https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
We already require a minimum 8 char password and all security rules regarding safe storage of passwords are followed.
As stated above we're now in a position where the large download size of a dictionary-based password strength checker is feasible and such an integration is planned. Regarding production use, the current system has been in production for years now as it's the same as used in the the LTS branch.
kevinansfield
on 3 May 2017
Related issues
kirrg001
路
3Comments
pateskinasy
路
3Comments
shadowbottle
路
3Comments
kevinansfield
路
3Comments
marcuspoehls
路
4Comments
Most helpful comment
@PaszaVonPomiot the most recent NIST password rules have composition rules such as you're describing on the DON'T DO list for the reasons that @ErisDS pointed out. https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
We already require a minimum 8 char password and all security rules regarding safe storage of passwords are followed.
As stated above we're now in a position where the large download size of a dictionary-based password strength checker is feasible and such an integration is planned. Regarding production use, the current system has been in production for years now as it's the same as used in the the LTS branch.