Please treat symbols as part of the complexity check in SSO

Bug #1055741 reported by Joey Stanford on 2012-09-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Undecided
Unassigned

Bug Description

Hi,

In SSO today we require a minimum of 8 characters, at least 1 number, and one lower & upper letter.

For complexity checking in SSO we should also add "one symbol (such as #, $, @, or *)" as per IT security best practice.

Thanks.

On Tue, Sep 25, 2012 at 7:53 AM, Joey Stanford <email address hidden> wrote:
> Public bug reported:
>
> Hi,
>
> In SSO today we require a minimum of 8 characters, at least 1 number,
> and one lower & upper letter.
>
> For complexity checking in SSO we should also add "one symbol (such as
> #, $, @, or *)" as per IT security best practice.

There was a long thread on password security on the internal -tech
list, we have a balance to strike between ease of use and security;
passphrases offer the potential for stronger, more memorable inputs.
OTOH http://arstechnica.com/business/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices/

Joey Stanford (joey) wrote :

I've made the call to remove the symbol now until we're audited and they require us to put it back.

Joey Stanford (joey) wrote :

re the above, in so far as the Canonical PW policy is concerned.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers