blueprints: add default Password policy #11793
Conversation
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
✅ All tests successful. No failed tests found. Additional details and impacted files@@ Coverage Diff @@
## main #11793 +/- ##
==========================================
+ Coverage 92.56% 92.63% +0.07%
==========================================
Files 760 760
Lines 37792 37795 +3
==========================================
+ Hits 34982 35012 +30
+ Misses 2810 2783 -27
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| @@ -11,6 +11,15 @@ entries: | |||
| slug: default-password-change | |||
| model: authentik_flows.flow | |||
| id: flow | |||
| - attrs: | |||
| check_have_i_been_pwned: true | |||
There was a problem hiding this comment.
as much as I would like to enable this by default, we probably shouldn't enable this by default for airgapped instance
There was a problem hiding this comment.
Fair enough. I was going by NIST's
verifiers SHALL compare the prospective secret against a blocklist that contains known commonly used, expected, or compromised passwords
but on second thought, I agree, defaulting to HIBP is a step too far.
Perhaps we can do something about that later. I'll remove for now and add it to the hardening docs.
There was a problem hiding this comment.
we can set check_zxcvbn to true which includes a blocklist
There was a problem hiding this comment.
That seems to work okay. Added.
I didn't add zxcvbn initially because I felt it was too much restriction (based on NIST). However, a score of 2 seems like it effectively adds the blocklist and some variations, but not much more.
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-9065277860994a85d3e2bb3fd86ad0bbabe7372f
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sFor arm64, use these values: AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-9065277860994a85d3e2bb3fd86ad0bbabe7372f-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-9065277860994a85d3e2bb3fd86ad0bbabe7372fFor arm64, use these values: authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-9065277860994a85d3e2bb3fd86ad0bbabe7372f-arm64Afterwards, run the upgrade commands from the latest release notes. |
| @@ -32,6 +32,10 @@ This policy can enforce regular password rotation by expiring set passwords afte | |||
|
|
|||
| ### Password Policy | |||
|
|
|||
| :::warning | |||
| This policy enables options that violate [NIST's recommendations](https://pages.nist.gov/800-63-4/sp800-63b.html#password) for passwords. To comply with the recommendations, use authentik's default Password policy. See [Hardening authentik](../../security/security-hardening.md#password-policy) for additional hardening. | |||
There was a problem hiding this comment.
| This policy enables options that violate [NIST's recommendations](https://pages.nist.gov/800-63-4/sp800-63b.html#password) for passwords. To comply with the recommendations, use authentik's default Password policy. See [Hardening authentik](../../security/security-hardening.md#password-policy) for additional hardening. | |
| By default, authentik's Password policy is compliant with [NIST's recommendations](https://pages.nist.gov/800-63-4/sp800-63b.html#password) for passwords. To remain compliant with NIST, be cautious when editing the default values. For additional hardening configuration settings, refer to [Hardening authentik](../../security/security-hardening.md#password-policy). |
There was a problem hiding this comment.
Thanks for your time explaining the compliance, @gergosimonyi
This change complies with the minimal compositional requirements by NIST SP 800-63 Digital Identity Guidelines. See https://pages.nist.gov/800-63-4/sp800-63b.html#password More work is needed to comply with other parts of the Guidelines, specifically > If the chosen password is found on the blocklist, the CSP or verifier > [...] SHALL provide the reason for rejection. and > Verifiers SHALL offer guidance to the subscriber to assist the user in > choosing a strong password. This is particularly important following > the rejection of a password on the blocklist as it discourages trivial > modification of listed weak passwords.
…n policy Signed-off-by: Jens Langhammer <[email protected]>
BeryJu
force-pushed
the
blueprints/harden-default-password-policies
branch
from
8413025
to
9065277
Compare
| However, for further hardening compliant to the NIST Guidelines, consider | ||
|
|
||
| - setting the length of the password to a minimum of 15 characters, and | ||
| - enabling the "Check haveibeenpwned.com" blocklist comparison |
There was a problem hiding this comment.
| - enabling the "Check haveibeenpwned.com" blocklist comparison | |
| - enabling the "Check haveibeenpwned.com" blocklist comparison (note that this cannot be used on Air-gapped instances) |
Details
REPLACE ME
Checklist
ak test authentik/)make lint-fix)If an API change has been made
make gen-build)If changes to the frontend have been made
make web)If applicable
make website)