Password Policy
It seems that nothing gets security professionals more rallied up than the issue of setting a password policy.
LiquidFiles aims to have a "strong enough" default security policy and also the ability for you define your own policy in various complexities.
Default Password Policy
LiquidFiles uses a password scoring system for detecting strong passwords, the score is as follows:
- Password longer than 7 characters +1 point
- Password longer than 10 characters +1 point
- Password longer than 14 characters +1 point
- Password contains both upper and lower case characters +1 point
- Password contains digits +1 point
- Password contains any of the following characters: !,@,#,$,%,^,&,*,?,_,~,-,(,) +1 point
A password needs 3 points or more to be valid.
With this password scoring system, the longer you make your password, the less complex it needs to be, and the shorter, the more complex you need to make it.
The thinking behind this is that allows long wordy password like correcthorsebatterystaple which in fact are stronger than shorter and more complex passwords like Tr0ub4dor&3 as highlighted in this brilliant meme from XKCD.
On top of this, LiquidFiles automatically uses the CrackLib password validation system that validates passwords against known dictionary attacks, password repeats and similar.
Dictionary Validation
The default password validation using Dictionary only validation will also provide a very good password protection.
You can disable the regular password policy by configuring the Password Validation with:
Password Validation: .*
Or alternatively use the following to require minumum 8 characters and the Dictionary Validation.
Password Validation: .{8,}
If you want to disable the dictionary validation, please unselect the Use Password Dictionary Validation in Admin → Configuration → Settings as per the screenshot below.
Custom Password Policy
If you don't like the default password policy, you can create your own. LiquidFiles has two different password policy functions. The simplest way to change password policy is to define a Regular Expression that matches your desired password policy.
We offer a couple of examples below but cannot assist with requests on how to create a Regular Expression that matches your specific password policy requirements. For anything beyond the examples below, you are best off starting with a web search such as: https://duckduckgo.com/?q=regex+password+validation.
To change to your own password validation, please go to Admin → Settings on your LiquidFiles system and enter your password policy. Please note that entering your own password policy will disable the default one.
Regular Expression Password Complexity Examples:
- ^[A-Za-z]\w{6,}[A-Za-z]$ — the password needs to start and end with a letter, and be minimum 8 characters in total.
- ^(?!.*\s).{7,}$ — the password needs to be any 7+ characters, with no spaces.
- ^\w*(?=\w*\d)(?=\w*[a-z])(?=\w*[A-Z])\w*$ — the password can be of any length as long as it contains at least 1 number, at least 1 lower case letter, and at least 1 upper case letter.
- ^.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$ — the password needs to be at least 10 characters, contain at least one one lower case letter, one upper case letter, one digit and one special character, special characters are: @#$%^&+=
As you can see, you can get very specific, and very creative. To make it easy to test, a password validation feature is available. You can enter a password that should match what you want it to, and then change the regular expression until it matches. Please see the video below for an example of working with the password validation:
Changing Password Description
When you have changed your password policy it is a good idea to also change the wording of your password policy. This is what gets displayed to your users when they are prompted to enter a password.
To change the wording of the password policy, please go to Admin → System → Locales, select your language and click "Edit". Since there's a lot of strings that can be changed, the easiest to find the password policy one is to search in the page for: "password complexity description" (without quotation marks).
As an example, here we've changed the password complexity description to match the first regular expression above:
Advanced Password Policy
Sometimes it isn't possible to define your password policy with a simple regular expression and for those use cases LiquidFiles also provides the facility of checking the password complexity using a external script.
For scriptable password validations, please see the Actionscript Password Validation feature how you can install and execute a script that will validate the password.
As you can see, you can now write as complex a policy as your company demands. If you want store user passwords (lets say you want to create a policy that users can't reuse the previous 5 passwords), the best way is to use a hash algorithm like SHA256 (in bash, you can run: echo $PASSWORD | sha256sum | awk '{print $1}' to get the password hash). You can then store the passwords somewhere in /var/data where the script will be able to write to, or possibly use something like a SQLite database to store the passwords. Please note that when the script executes, it's because the users password is about to be changed, if the script you write has an exit code of zero (0), it will be changed. The script is the final validation.
Even if the example here is written in bourne shell (sh), you can write in pretty much any language available on the system that you're familiar with. Such as bash, perl, ruby, python or c. Anything really that you can execute as in the example above and that can give exit codes of zero (0) or one (1) for valid/invalid passwords respectively.