Canonical SSO provider

Please treat symbols as part of the complexity check in SSO

Bug #1055741 reported by Joey Stanford on 2012-09-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical SSO provider	New	Undecided	Unassigned

Bug Description

Hi,

In SSO today we require a minimum of 8 characters, at least 1 number, and one lower & upper letter.

For complexity checking in SSO we should also add "one symbol (such as #, $, @, or *)" as per IT security best practice.

Thanks.

Tags:

Revision history for this message

Robert Collins (lifeless) wrote on 2012-09-24: Re: [Bug 1055741] [NEW] Please treat symbols as part of the complexity check in SSO

On Tue, Sep 25, 2012 at 7:53 AM, Joey Stanford <email address hidden> wrote:
> Public bug reported:
>
> Hi,
>
> In SSO today we require a minimum of 8 characters, at least 1 number,
> and one lower & upper letter.
>
> For complexity checking in SSO we should also add "one symbol (such as
> #, $, @, or *)" as per IT security best practice.

There was a long thread on password security on the internal -tech
list, we have a balance to strike between ease of use and security;
passphrases offer the potential for stronger, more memorable inputs.
OTOH http://arstechnica.com/business/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices/

Revision history for this message

Joey Stanford (joey) wrote on 2012-11-06:

I've made the call to remove the symbol now until we're audited and they require us to put it back.

Revision history for this message

Joey Stanford (joey) wrote on 2012-11-06:

re the above, in so far as the Canonical PW policy is concerned.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.