Getting Started
First Time Setup
Getting Started With Jobs
Getting Started with Ticketing
Setting Sonar up for Billing
Getting Started with Inventory
Baseline Configuration
Accounts
Account Types: Overview & Example Use Cases
Account Statuses: Overview & Example Use Cases
Account Management View: Overview
Scheduled Events: Overview & Use Cases
Notes & Tasks: Best Practices & Use Cases
Child Accounts: Best Practices & How Tos
Disconnecting an Account
Account List View: Overview
Account Groups: Overview & Example Use Cases
Serviceable Addresses: Overview and Usage
Billing
Setting up Bank Account & Credit Card Processors
Billing Settings
Billing Defaults
Taxes Setup
General Ledger Codes: Overview
Services: Overview
Building a Data Service
Building Packages
Delinquency Billing Best Practices
Accounts in Vacation Mode
Batch Payments & Deposit Slips: Overview
Payment Reversal vs Refund vs Voiding
Creating Discounts for Services and Packages
Billing Calculator
Communication
Setting up an Outbound Email Domain
Triggered Emails: Setup
Call Logs: General Best Practices
Using the Mass Email Tool
Email Messages: Example Content
Email Variables & Conditions
Trigger Explanations
Companies
Financial
Contract Templates
Invoice Attachment Use Cases & PDF Examples
Invoice Messages: Overview & Use Cases
FCC Form 477: General Overview and Usage
Integrations
Inventory
Setup of Inventory: Manufacturers, Categories, and Assignees
Inventory List View: Overview
Inventory Model Management: General Overview
Tracking and Using Consumable Inventory
Jobs
Job Types: Best Practices
Setting Up Schedules General Overview
Applying Task Templates to Jobs
Example Jobs & Templates
Jobs and Scheduling: Overview
Misc.
Monitoring
Building a Monitoring Template
Pollers: General Overview, Deployment Strategy, Build Out & Setup
Building Alerting Rotations
Networking
IP Assignments & Sonar
MikroTik: Setting Up a Sonar Controlled DHCP Server
Setting Up a DHCP Batcher
IPAM: Basic Setup
MikroTik as an Inline Device: Integration With Sonar
MikroTik: Controlling Speeds
MikroTik: Controlling Access
Setting Up CoA Proxy
RADIUS: Building Reply Attributes
Data Usage Available Methods
Pulse, Polling, and PHP
MikroTik: Creating a Self-signed Certificate for use in API-SSL
IPAM: Overview
Sonar Flow
RADIUS: Build-Out & Integration with Sonar
Building a Device Mapper
Sonar IP Addressing
Network Sites: Overview
Building RADIUS Groups
Building Address Lists
Finding your OIDs
Sales Whitepapers
Security
User Role Creation & Best Practices
Removing a Terminated Employee In Sonar
Password Policy In Depth
Application Firewall: General Overview and Best Practices
Role Creation using GraphiQL
System
How to Best Use Global Search
How Your Data is Backed Up
How To Use GraphiQL to Understand the Sonar API
Frequently Used Terms
Mutations in the Sonar API
API Calls Using Third Party Applications - Personal Access Tokens
The New Sonar API
A Deeper Dive into the new Sonar API
Consuming the Sonar API
Filtering: Simple vs Advanced
My Info: Your Personal User Settings
Customizing your Customer Portal
Release Notes
Reporting
Ticketing
Ticketing: Overview
Canned Replies Examples & Templates
Canned Reply Categories
Inbound Mailboxes Example Build
Ticket Categories Best Practices & Example Build
Ticket Groups To Consider
Using Parent Tickets
Accounting with Sonar
Working With the Sonar Team & Additional Resources
Table of Contents
- All Categories
- Security
- Password Policy In Depth
Password Policy In Depth
Updated
by Mitchell Paul-Soumis
Sonar's User Password Policy
In general, you want to set requirements so that passwords are difficult to guess, but not so far as to cause "security fatigue" or make it difficult for your staff. In general, it is best to use passphrases rather than passwords as these are more difficult to brute force attack. Increasing the password strength requirements will do more to create secure passwords than implementing specific requirements around symbol use.
Sonar allows you to implement a "Minimum Password strength" using the zxcvbn algorithm.
What is Minimum Password strength
zxcvbn is a password strength estimator inspired by password crackers. Through pattern matching and conservative estimation, it recognizes and weighs 30k common passwords, common names and surnames according to US census data, popular English words from Wikipedia and US television and movies, and other common patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.
Sonar uses zxcvbn as an algorithmic alternative to password composition policy — it is more secure, flexible, and usable when sites require a minimal complexity score in place of annoying rules like "passwords must contain three of {lower, upper, numbers, symbols}".
More secure: policies often fail both ways, allowing weak passwords (P@ssword1) and disallowing strong passwords.
More flexible: zxcvbn allows many password styles to flourish so long as it detects sufficient complexity — passphrases are rated highly given enough uncommon words, keyboard patterns are ranked based on length and number of turns, and capitalization adds more complexity when it's unpredictable.
The number settings are the estimated number of guesses that would be required to match a password and can be broken down as follows:
- Risky Password (0): less than one thousand guesses (example: p@ssword)
- Very Guessable (1): less than one million guesses (example: angel08)
- Somewhat Guessable (2): less than one hundred million guesses (example: Tr0ub4dour&3)
- Safely Unguessable (3): less than ten billion guesses (example: correcthorsebatterystaple)
- Very Unguessable (4): At least ten billion guesses (example: coRrecth0rseba++ery9.23.2007staple$)
For some context, a (1) level password could be cracked via an unthrottled online attack in less than an hour, a (3) level password would take anywhere between months and years at the same submission rate.
