-
-
Notifications
You must be signed in to change notification settings - Fork 892
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
blueprints: add default Password policy #11793
base: main
Are you sure you want to change the base?
Conversation
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
✅ All tests successful. No failed tests found. Additional details and impacted files@@ Coverage Diff @@
## main #11793 +/- ##
==========================================
+ Coverage 92.56% 92.63% +0.07%
==========================================
Files 760 760
Lines 37792 37795 +3
==========================================
+ Hits 34982 35012 +30
+ Misses 2810 2783 -27
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
@@ -11,6 +11,15 @@ entries: | |||
slug: default-password-change | |||
model: authentik_flows.flow | |||
id: flow | |||
- attrs: | |||
check_have_i_been_pwned: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as much as I would like to enable this by default, we probably shouldn't enable this by default for airgapped instance
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough. I was going by NIST's
verifiers SHALL compare the prospective secret against a blocklist that contains known commonly used, expected, or compromised passwords
but on second thought, I agree, defaulting to HIBP is a step too far.
Perhaps we can do something about that later. I'll remove for now and add it to the hardening docs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can set check_zxcvbn
to true
which includes a blocklist
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That seems to work okay. Added.
I didn't add zxcvbn
initially because I felt it was too much restriction (based on NIST). However, a score of 2 seems like it effectively adds the blocklist and some variations, but not much more.
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-9065277860994a85d3e2bb3fd86ad0bbabe7372f
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s For arm64, use these values: AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-9065277860994a85d3e2bb3fd86ad0bbabe7372f-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s Afterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-9065277860994a85d3e2bb3fd86ad0bbabe7372f For arm64, use these values: authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-9065277860994a85d3e2bb3fd86ad0bbabe7372f-arm64 Afterwards, run the upgrade commands from the latest release notes. |
@@ -32,6 +32,10 @@ This policy can enforce regular password rotation by expiring set passwords afte | |||
|
|||
### Password Policy | |||
|
|||
:::warning | |||
This policy enables options that violate [NIST's recommendations](https://pages.nist.gov/800-63-4/sp800-63b.html#password) for passwords. To comply with the recommendations, use authentik's default Password policy. See [Hardening authentik](../../security/security-hardening.md#password-policy) for additional hardening. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This policy enables options that violate [NIST's recommendations](https://pages.nist.gov/800-63-4/sp800-63b.html#password) for passwords. To comply with the recommendations, use authentik's default Password policy. See [Hardening authentik](../../security/security-hardening.md#password-policy) for additional hardening. | |
By default, authentik's Password policy is compliant with [NIST's recommendations](https://pages.nist.gov/800-63-4/sp800-63b.html#password) for passwords. To remain compliant with NIST, be cautious when editing the default values. For additional hardening configuration settings, refer to [Hardening authentik](../../security/security-hardening.md#password-policy). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your time explaining the compliance, @gergosimonyi
This change complies with the minimal compositional requirements by NIST SP 800-63 Digital Identity Guidelines. See https://pages.nist.gov/800-63-4/sp800-63b.html#password More work is needed to comply with other parts of the Guidelines, specifically > If the chosen password is found on the blocklist, the CSP or verifier > [...] SHALL provide the reason for rejection. and > Verifiers SHALL offer guidance to the subscriber to assist the user in > choosing a strong password. This is particularly important following > the rejection of a password on the blocklist as it discourages trivial > modification of listed weak passwords.
…n policy Signed-off-by: Jens Langhammer <[email protected]>
8413025
to
9065277
Compare
However, for further hardening compliant to the NIST Guidelines, consider | ||
|
||
- setting the length of the password to a minimum of 15 characters, and | ||
- enabling the "Check haveibeenpwned.com" blocklist comparison |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- enabling the "Check haveibeenpwned.com" blocklist comparison | |
- enabling the "Check haveibeenpwned.com" blocklist comparison (note that this cannot be used on Air-gapped instances) |
Details
REPLACE ME
Checklist
ak test authentik/
)make lint-fix
)If an API change has been made
make gen-build
)If changes to the frontend have been made
make web
)If applicable
make website
)