Admin User Management - Password Management Policy

Owned by Reuben Noot (Deactivated)
Last updated: 15 Dec 2017 by Former user (Deleted)
2 min read

We need to establish a clear and agreed policy for password management and complement it with a suitable UX to ensure its a simple for users as possible.


We've consulted our IG lead, Andrew Todd - his reply:


Hi Ray

I don’t think we have, unless Martin Hall has something in one of his policies. Never the less we should be working within best practice guidelines (27001)
At least seven characters,
Alpha, numeric and perhaps special characters
Changing on a frequently
Three lockout attempts
No generic accounts

Regards
Andrew


I don't believe we should take ISO27001 at face value necessarily as I believe its a tad dated now - we should also take input from:

https://www.gov.uk/service-manual/design/passwords (makes interesting reading - arguing that overly complex constraints and forcing frequent password changing are counter productive, reducing overall security as users are more likely to write the password down some less secure)

Its largely based on the CESG (now NCSC) principles here: https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach


Digital Service Standard & National Cyber Security Centre (NCSC)

  • advise to use constraints that fit your security needs
  • simplicity + technical controls favoured above complicated password setting rules


Suggested rules include

  • monitor login attempts
  • notify users with unusual use
  • set a minimum length of at least 8 characters
  • don’t set a maximum length
  • explain the constraints to users
  • use a blacklist of commonly used passwords << not possible in KeyCloak
  • no forced periodic changes
  • don’t reveal whether password or email incorrect on incorrect login attempts
  • allow pasting
  • send link or code to reset password
  • technical controls to avoid automated guessing attacks - e.g. 10 attempts & account lock << not possible in KeyCloak
  • guide users to use stronger passwords and why, either with strength guide or explanatory guidance text
  • use password blacklist to stop users creating certain passwords << only possible to blacklist historical passwords



KeyCloak Constraints

KeyCloak constrains what we can implement - so worth reviewing what it provides: http://www.keycloak.org/docs/3.3/server_admin/topics/authentication/password-policies.html 

We can of course use these as hard validation rules and make recommendations in the UI during password reset to users of best practice beyond these if appropriate.


By default, there are no rules in place however there are parameters that can be implemented, these parameters include

  • hash algorithm - passwords hidden from view
  • hashing iterations - to be clarified
  • number of digits - minimum number of characters to be included
  • lower case characters - minimum number of lowercase characters to be included in string
  • uppercase characters - minimum number of uppercase characters to be included in string
  • special characters - minimum number of special characters to be included in string
  • not username - confirm that the password and username do not match
  • regular expression - to be clarified
  • expire password - lengt of time in days that the password is valid for
  • not recently used - confirmation that the password has not been used before by a user



Slack: https://hee-nhs-tis.slack.com/
Jira issues: https://hee-tis.atlassian.net/issues/?filter=14213