Getting Started
First Time Setup
Getting Started With Jobs
Getting Started with Ticketing
Setting Sonar up for Billing
Getting Started with Inventory
Baseline Configuration
Accounts
Account Types: Overview & Example Use Cases
Account Statuses: Overview & Example Use Cases
Account View: Overview
Scheduled Events: Overview & Use Cases
Notes & Tasks: Best Practices & Use Cases
Child Accounts: Best Practices & How Tos
Disconnecting an Account
Account List View: Overview
Serviceable Addresses: Overview and Usage
Billing
Accounts in Vacation Mode
Billing Settings
Taxes Setup
Building a Data Service
Delinquency Billing Best Practices
Building Packages
General Ledger Codes: Overview
Setting up Bank Account & Credit Card Processors
Payment Reversal vs Refund vs Voiding
Services: Overview
Billing Defaults
Communication
Setting up an Outbound Email Domain
Triggered Emails: Setup
Call Logs: General Best Practices
Using the Mass Email Tool
Email Messages: Example Content
Email Variables
Trigger Explanations
Companies
Financial
Integrations
Inventory
Setup of Inventory: Manufacturers, Categories, and Assignees
Getting Started with Inventory as an Administrator
Inventory Creation: Models, Fields, and Deployment types
Inventory List View: Overview
Adding and Assigning Inventory Items
Jobs
Job Types: Best Practices
Setting Up Schedules General Overview
Applying Task Templates to Jobs
Example Jobs & Templates
Jobs and Scheduling: Overview
Misc.
Monitoring
Building a Monitoring Template
Pollers: General Overview, Deployment Strategy, Build Out & Setup
Building Alerting Rotations
Networking
IP Assignments & Sonar
MikroTik: Setting Up a Sonar Controlled DHCP Server
Setting Up a DHCP Batcher
IPAM: Basic Setup
MikroTik as an Inline Device: Integration With Sonar
MikroTik: Controlling Speeds
MikroTik: Controlling Access
Setting Up CoA Proxy
RADIUS: Building Reply Attributes
Data Usage Available Methods
MikroTik: Creating a Self-signed Certificate for use in API-SSL
IPAM: Overview
RADIUS: Build-Out & Integration with Sonar
Network Sites: Overview
Building RADIUS Groups
Building Address Lists
Sales Whitepapers
Security
User Role Creation & Best Practices
Removing a Terminated Employee In Sonar
Password Policy In Depth
Application Firewall: General Overview and Best Practices
System
How to Best Use Global Search
How To Use GraphiQL to Understand the Sonar API
Frequently Used Terms
API Calls Using Third Party Applications - Personal Access Tokens
Filtering: Simple vs Advanced
Customizing your Customer Portal
Release Notes
Reporting
Ticketing
Canned Replies Examples & Templates
Canned Reply Categories
Inbound Mailboxes Example Build
Ticket Categories Best Practices & Example Build
Ticket Groups To Consider
Using Parent Tickets
Ticketing: Overview
Accounting with Sonar
Working With the Sonar Team & Additional Resources
Table of Contents
- All Categories
- Security
- Password Policy In Depth
Password Policy In Depth
Updated
by Mitchell Paul-Soumis
Sonar's User Password Policy
In general, you want to set requirements so that passwords are difficult to guess, but not so far as to cause "security fatigue" or make it difficult for your staff. In general, it is best to use passphrases rather than passwords as these are more difficult to brute force attack. Increasing the password strength requirements will do more to create secure passwords than implementing specific requirements around symbol use.
Sonar allows you to implement a "Minimum Password strength" using the zxcvbn algorithm.
What is Minimum Password strength
zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.
Sonar uses zxcvbn as an algorithmic alternative to password composition policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".
More secure: policies often fail both ways, allowing weak passwords (P@ssword1) and disallowing strong passwords.
More flexible: zxcvbn allows many password styles to flourish so long as it detects sufficient complexity — passphrases are rated highly given enough uncommon words, keyboard patterns are ranked based on length and number of turns, and capitalization adds more complexity when it's unpredictable.
The number settings are the estimated number of guesses that would be required to match a password and can be broken down as follows:
- Risky Password (0): less than one thousand guesses (example: p@ssword)
- Very Guessable (1): less than one million guesses (example: angel08)
- Somewhat Guessable (2): less than one hundred million guesses (example: Tr0ub4dour&3)
- Safely Unguessable (3): less than ten billion guesses (example: correcthorsebatterystaple)
- Very Unguessable (4): At least ten billion guesses (example: coRrecth0rseba++ery9.23.2007staple$)
For some context, a (1) level password could be cracked via an unthrottled online attack in less than an hour, a (3) level password would take anywhere between months and years at the same submission rate.
