•  
      story #11182 prevent users to use a breached password
    Summary
    Empty
    prevent users to use a breached password

    Users can not (re)use a password found in available breach corpuses since it would be more likely to be cracked.


    Latest NIST recommendations on authentication can be applied with a Tuleap instance.

    • A known breached password can not be used
      • New user registration
      • New account creation as a site administrator
      • Password change
      • Password change of an account as a site administrator
    • Feature is enabled by default
    • Can be desactivated/re-enabled from the site administration
    Empty
    Empty
    Status
    Empty
    Done
    Development
    • [ ] Does it involves User Interface? 
    • [ ] Are there any mockups?
    • [ ] Are permissions checked?
    • [ ] Does it need Javascript development?
    • [ ] Does it need a forge upgrade bucket?
    • [ ] Does it need to execute things in system events?
    • [ ] Does it impact project creation (templates)?
    • [x] Is it exploratory?
    Embedding a whole list of breached password is not really feasible. Dumps are quite large (several GB) and only become bigger and bigger with time.

    Contribution will rely on Have I been pwned? API v2 [1] to check if a password is compromised.
    Passwords must be searched by range to not leak the password being checked with this online service [2].









    [1] https://haveibeenpwned.com/API/v2
    [2] https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
    Details
    #11182
    Thomas Gerbet (tgerbet)
    2018-04-16 11:20
    2018-02-22 22:43
    11519

    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-02-23 16:12
    In terms of reliability, Cloudflare support the service and serve it through their CDN infrastructure. Responses provided by the API are marked as valid for a long time (max-age of 31 days sets in the Cache-Control header) so most of the responses end up served directly by Cloudflare. That should at least cover the slowed down part.

    However to not let my extremist side completely take over we can consider that a password is acceptable if it is not found in the breach corpuses or if the API call ended up with an error or no response.
    Later on we could add a way for site administrators to enable the strict check (password rejected if found in the breach corpuses or if the API call has failed) with all the needed warnings in the UI.
    User avatar

    Unless I'm wrong in most of these cases the authentication/user management is mainly managed with an LDAP/ActiveDirectory server so it will only impacts users that have been created manually. So the most common use case will never hit the feature and it will probably be enough to prevent us too much troubles.

    Ok.

    Worst thing that can happen if the API is not accessible is that users won't be able to change their password or to register, existing administrative accounts would still be able to connect and solve the issue.

    Unless we have a solid track of record of this 3rd party reliability, I would not block those features if the API is slowed down or blocked.

     

    User avatar
    Thomas Gerbet (tgerbet)2018-02-23 12:10
    Unless I'm wrong in most of these cases the authentication/user management is mainly managed with an LDAP/ActiveDirectory server so it will only impacts users that have been created manually. So the most common use case will never hit the feature and it will probably be enough to prevent us too much troubles.

    That's said we might want to add in the AC that a warning message should be displayed in the site administration when accesses to the API fail (timeouts or unexpected HTTP error codes) to lead the site administrator directly where the feature can be disabled.

    I'm in favor to have this enabled by default because nobody is going through settings to enable this kind of thing after an installation and the default choice should be the safe/secure one. Also, while I can't back this guess with numbers, I think most of the Tuleap instances being installed have access to internet.
    Worst thing that can happen if the API is not accessible is that users won't be able to change their password or to register, existing administrative accounts would still be able to connect and solve the issue.
    User avatar

    I overlooked the tech details sorry.

    You propose to enable it by default but how will we manage deployment in DMZ without internet access ?

    User avatar
    Thomas Gerbet (tgerbet)2018-02-23 09:10
    I put some details on how to do it in the "Technical info" field → A GET request to the Have I Been Pwned API with some basic processing.
    A specific lib is not really needed.
    User avatar

    How do you forsee that ?

    Is there any lib / tool that can be used ?


    • Permissions set to