openstack-manuals

Chapter 7. Dashboard in OpenStack Security Guide  - Add best practice around pw managers

Bug #1441229 reported by N Dillon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-manuals
Fix Released
Medium
Patrick Amor

Bug Description

As password complexity requirements rise, and as re-use is discouraged in best practice, password managers are a growing part of daily use. The Dashboard section is a good place to have a discussion of the pros and cons of password management, plus recommendations on doing so securely if they are allowed (such as disabling browser managers and using desktop).

-----------------------------------
Built: 2015-04-06T06:53:56 00:00
git SHA: 2f906469bc38a2049883645a1ebdc13a2b3245eb
URL: http://docs.openstack.org/security-guide/content/dashboard.html
source File: file:/home/jenkins/workspace/security-doc-tox-doc-publishdocs/security-guide/ch_dashboard.xml
xml:id: dashboard

Tags: sec-guide
Andreas Jaeger (jaegerandi)
Changed in openstack-manuals:
status: New → Confirmed
importance: Undecided → Medium
Danny.Ho (dannyh)
Changed in openstack-manuals:
assignee: nobody → Danny.Ho (dannyh)
Revision history for this message
Danny.Ho (dannyh) wrote :

Hello Andreas
Password characters should be a combination of alphanumeric characters. Alphanumeric characters consist of letters, numbers, punctuation marks, mathematical and other conventional symbols. for change password functionality, if possible, keep a history of old passwords hashes used. should not store the actual passwords to protect against brute forcing if the database file is compromised. In this way, the user can not change to a password that was used a couple of months back.

Danny.Ho (dannyh)
Changed in openstack-manuals:
assignee: Danny.Ho (dannyh) → nobody
Matt Valdes (matthew-valdes)
Changed in openstack-manuals:
assignee: nobody → Matt Valdes (matthew-valdes)
Revision history for this message
Matt Valdes (matthew-valdes) wrote :

Based on the existing contributions, we will make this a section on passwords with 2 subsections: password managment and password quality. We'll then link to this information from Ch. 6: Identity authentication or authentication methods

For existing high-level recommendations also see:
http://docs.openstack.org/security-guide/identity/authentication-methods.html

Revision history for this message
Patrick Amor (pamor) wrote :

I'll post a WIP review with a suggested change. I don't think the security guide can do a definitive treatment on this topic but at least raising the awareness of such issues and pointing to some external resources might be a good start.

Changed in openstack-manuals:
assignee: Matt Valdes (matthew-valdes) → Patrick Amor (pamor)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to security-doc (master)

Fix proposed to branch: master
Review: https://review.openstack.org/268256

Changed in openstack-manuals:
status: Confirmed → In Progress
Revision history for this message
Patrick Amor (pamor) wrote :

Matthew, my apologies. I didn't see that you had assigned this to yourself. This bug was open in my browser for a few days. Didn't mean to swipe it. Please feel free to take it back or if you want we can collaborate on the change with the stuff I put up for review.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to security-doc (master)

Reviewed: https://review.openstack.org/268256
Committed: https://git.openstack.org/cgit/openstack/security-doc/commit/?id=2fb6a4b784875e19b41781a763ae85fe6befcf2e
Submitter: Jenkins
Branch: master

commit 2fb6a4b784875e19b41781a763ae85fe6befcf2e
Author: Patrick Amor <email address hidden>
Date: Fri Jan 15 09:02:01 2016 -0800

    Discuss passwords and password managers for Dashboard chapter

    Added a link to external NIST document for basic best practices
    Raised awareness of browser password stores and external password stores

    Change-Id: I331d2e0d212de4b0a93e9788a02017c75d2b2086
    Closes-Bug: #1441229

Changed in openstack-manuals:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.