Table of Contents

Password Policy In Depth

Mitchell Paul-Soumis Updated by Mitchell Paul-Soumis

Read Time: 2 mins

Sonar's User Password Policy

In general, you want to set requirements so that passwords are difficult to guess, but not so far as to cause "security fatigue" or make it difficult for your staff. In general, it is best to use passphrases rather than passwords as these are more difficult to brute force attack. Increasing the password strength requirements will do more to create secure passwords than implementing specific requirements around symbol use.

Sonar allows you to implement a "Minimum Password strength" using the zxcvbn algorithm.

What is Minimum Password strength

zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.

Sonar uses zxcvbn as an algorithmic alternative to password composition policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".

More secure: policies often fail both ways, allowing weak passwords (P@ssword1) and disallowing strong passwords.

More flexible: zxcvbn allows many password styles to flourish so long as it detects sufficient complexity — passphrases are rated highly given enough uncommon words, keyboard patterns are ranked based on length and number of turns, and capitalization adds more complexity when it's unpredictable.

The number settings are the estimated number of guesses that would be required to match a password and can be broken down as follows:

  • Risky Password (0): less than one thousand guesses (example: p@ssword)
  • Very Guessable (1): less than one million guesses (example: angel08)
  • Somewhat Guessable (2): less than one hundred million guesses (example: Tr0ub4dour&3)
  • Safely Unguessable (3): less than ten billion guesses (example: correcthorsebatterystaple)
  • Very Unguessable (4): At least ten billion guesses (example: coRrecth0rseba++ery9.23.2007staple$)

For some context, a (1) level password could be cracked via an unthrottled online attack in less than an hour, a (3) level password would take anywhere between months and years at the same submission rate.

How did we do?

Removing a Terminated Employee In Sonar

Application Firewall: General Overview and Best Practices