Hackathon March 2023: Password Policies

  • Team name: Nuts team :chestnut:
  • Team members: Pierre, Max, Gaëtan

This project allows the administrator to set the minimum entropy for user’s passphrase, passwords in the database and passwords generated within a passbolt’s client. Additionally, the metadata indicator will show if the quality of the password is unsafe or compromised. This project increases the security of the solution as it gives admin control and visibility over the password database.

Q1. What is the problem that we are trying to solve?

Users need to set a passphrase to unlock their private key. At the moment, the requirements for those passphrases are hardcoded. Admins can’t enforce a policy to increase (or decrease) the entropy required for those passphrases.

Moreover, admins can’t enforce policy for passbolt password generators to ensure that the default password that is generated is matching the defined entropy.

Q2 - Who is impacted?

All administrators who want to ensure that the user’s passphrase and the passwords present on their instance are equal or above a minimal entropy requirement.

Q3 - Why is it important and/or urgent?

This feature will ensure the quality of passwords and user’s passphrase, at the moment this quality is at the responsibility of each user who is responsible for defining this quality. There is an important lack of control and visibility from the admin to the passwords database of their company and more importantly no control of the strength of the user’s passphrase that are used to access and decrypt passwords.

Q4 - What is your proposed solution?

Settings in the administration workspace should let administrators decide the minimum entropy for: user’s passphrase, passwords that are already inside the database and the passwords generated within a passbolt’s client (web, browser extension, mobile apps). We will also give the indication if the user got unsafe passwords with a new password’s metadata: Quality. This metadata will be there only if the password quality is unsafe or compromised. Compromised quality will appear if the password is part of haveibeenpwned services for ex.

Excluded scope

Admins will not be able to set min entropy to some specific groups/folders, the settings will be global.

Here’s the documentation: Password policies - Requirements & specifications

Share your thoughts and ideas below:

  • :ok_woman: Must have: this is critical for me to have this
  • :raising_hand_woman: Should have: this is important for me to have this
  • :tipping_hand_woman: Could have: this could be nice to have
  • :no_good_woman: Won’t have: we should not schedule this (explain why)
0 voters

Released with Pro v4.2.0, checkout the release notes for more information.