[haiku-depot-web] Re: Password Policy

• From: Andrew Lindesay <apl@xxxxxxxxxxxxxx>
• To: haiku-depot-web@xxxxxxxxxxxxx
• Date: Tue, 14 Oct 2014 12:41:23 +1300

Hello All;

Also, I didn't test this yet, but preventing login attempts from happening in 
rapid fire fashion will go a long way as well.

That is implemented now; if you fail to authenticate there is a delay before the API responds. However, I know this isn't an _entirely_ robust solution because one can simply drop the socket if the response takes too long to respond. It probably helps.

> And at a minimum, increase password length to say 19 characters? This

I think that might be a bit long for me. I think the current rules do ensure some level of password strength whilst being quite easy to implement. Is it primarily the requirement to include an upper case character that is annoying?

> Or use OpenID? At least that way, password security would become the
> responsibility of the OpenID provider.

We looked into OpenID and Richard had some suggestions as to single-sign-on products that we might be able to employ. It is still not clear how this would work with the desktop HD application and nobody is presently able to commit the time required to license, deploy, integrate, operate and maintain this service with respect to other services that are already running.

For this reason (for the time being) HDS is running its own user database and user management systems. Changes have been made some weeks ago to accommodate the possibility of shifting (or concurrently running) the data into LDAP at some point in the future so there is a future path from where we are now to an LDAP or an LDAP/OpenID solution.

> hence the rise of 2FA...

Providing F2A would require Stephan to use the "Token Bearer" (JWT) system for API calls [1] as opposed to using "Basic Authentication" on each request. There would also be a little bit more complexity in the authentication handshaking process. I do not think implementing this is terribly tricky in the application-server / web side. Stephan; what are your thoughts on this? Is this worthwhile?

[1]
http://www.silvereye.co.nz/tmp/haikudepotserver-docs-26sep2014-tmp.pdf
(see 5.1)

Regards;

--
Andrew Lindesay

• Follow-Ups:
  • [haiku-depot-web] Re: Password Policy
    • From: Stephan Aßmus

• References:
  • [haiku-depot-web] Password Policy
    • From: Jessica Hamilton

Other related posts:

• » [haiku-depot-web] Password Policy- Jessica Hamilton
• » [haiku-depot-web] Re: Password Policy- Joe Prostko
• » [haiku-depot-web] Re: Password Policy- Stephan Aßmus
• » [haiku-depot-web] Re: Password Policy- Jessica Hamilton
• » [haiku-depot-web] Re: Password Policy- Richie Nyhus
• » [haiku-depot-web] Re: Password Policy - Andrew Lindesay
• » [haiku-depot-web] Re: Password Policy- Stephan Aßmus
• » [haiku-depot-web] Re: Password Policy- Jessica Hamilton
• » [haiku-depot-web] Re: Password Policy- Andrew Lindesay
• » [haiku-depot-web] Re: Password Policy- Axel Dörfler
• » [haiku-depot-web] Re: Password Policy- Ingo Weinhold
• » [haiku-depot-web] Re: Password Policy- Jessica Hamilton

1. Home
2. haiku-depot-web
3. Archive
4. 10-2014

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---