Password policies

Password Policies provide a way to enforce password characteristics and mitigate password risk for all accounts in an identity store. Learn more about how to setup and manage these policies.

Overview

Password Policies provide a way to enforce password characteristics and mitigate password risk for all accounts in an identity store.

The Strivacity password policies and the settings provided also follow the 2019 NIST 800-63 Password Guidelines wherever possible and provides password strength, password guessing avoidance, as well as protection against common password based attacks using breached/stolen credentials such as password stuffing and password spraying.

📘

A password is subject to the following allowed/disallowed character rules:

  • Can contain up to 64 characters in length and any uppercase or lowercase Latin or Unicode characters from A to Z
  • Can contain any digits 0 to 9
  • Can contain any of these ASCII characters: # $ % & ! ' ( )- . @ ^ _' { } ~

The functionality provided by Strivacity Fusion's password policies can be broken down into four areas of functionality:

Password policy scope

The scope of a password policy applies to an Identity Store. While you can re-use a password policy, an Identity Store can only have a single password policy.

Breached password analysis

We’ve implemented breached password detection to every part of the self-service experience and the admin console where your customers or administrators have to set or reset passwords:

  • self-service registration
  • self-service password reset
  • self-service password reset by email
  • account password reset by customer service or administrators

Breached password detected

Breached password detection prevents customers from using passwords that previously appeared in data breaches. Enable this feature in a password policy and assign it to any identity store.

Password policy settings

Password policy settings

Once enabled, Strivacity will automatically screen user-provided passwords against a database of leaked passwords.

We primarily use the open-source package of breached passwords made available by Have I Been Pwned (HIBP). HIBP hashes original values to hide personally identifiable information (PII).

We don't store the HIBP passwords in human-readable form. Only your customers will know by trial and error if their password has been leaked when using the Strivacity password breach detection service.

🚧

When breached passwords are detected

Encourage your customers to get familiar with good password practices and to screen their passwords for the rest of their accounts e.g. at HIBP's pwned password service.

Good password practices

Here's what you can do to enhance account security for your brand and raise awareness about password best practices based on the National Institute of Standards and Technology (NIST) guidelines:

Prioritize length over complexity: Increasing the length of a password adds more to security than squeezing in a few upper case letters and symbols into the shortest possible character string.

Don't give malicious attackers a head start: Refrain from using ordinary words and avoid the use of sequential strings of numbers or letters in passwords.

Rule out regular password resets: Regular password reset is ineffective.

We tend to add only the slightest changes when faced with the task of modifying our passwords, virtually re-creating the same password over and over again. This could pose huge security threats to our accounts if our password is commonly-used or has been compromised in the past. It’s better to create an uncrackable password in the first place—that would preferably take millions of years to hack.

Encourage the use of password managers: Password managers can stop us from using the same password across multiple platforms. These services store our various sign-in credentials encrypted for the dozens of accounts we use, sparing us quite a few headaches. Most services can also generate secure passwords in no time.

📘

There are plenty of password manager services available, from convenient in-browser tools to cross-browser commercial applications. Customers only have to find out which one works best for them.

We support password suggestions coming from password manager services in Strivacity Fusion.

Password strength

Compared to breached password detection, commonly used password requirements are less effective in reaching the ideal security level. This approach drives your customers to check off required characters without any consideration for good password practices and allows them to create predictable passwords like ‘Password123!’. Requiring a minimum password length is a good practice. Anything less than 8 characters is easily cracked. Other password complexity requirements can create a bad experience for customers and force them into bad password practices. We recommend a minimum password length plus enabling breached password protection for a good balance of security and usability.

Predictable passwords have probably been leaked at some time in the past. Nudge your customers to create safer passwords by implementing breached password detection for your identity stores. You can skip configuring password strength.

SettingDefault ValueDescription
Minimum Length8Specify the minimum length (in characters) of the password. This cannot be less that 8 characters.
Must contain at least one lowercase character (a-z)OffIf enabled the password must include one of these!
Must contain at least one uppercase character (A-Z)OffIf enabled the password must include one of these!
Must contain at least one number (0-9)OffIf enabled the password must include one of these!
Must contain at least one special character ($%&'()[email protected]^_`'{}~)OffIf enabled the password must include one of these!

Password guessing avoidance

There's a good chance malicious actors will try to use your customer's personal information to take over their accounts. Attackers may pair user-identifying information or parts of them with compromised passwords or common character combinations to crack your customers' passwords faster.

Protect your customers from paving the way for cyber attackers and don't allow them to blend their personal information (username, first name, and last name) into their passwords.

You can switch on password guess avoidance for each personal data field separately.

When enabled, password guessing avoidance forbids the use of

  • the entire

    • username
    • first name
    • last name

    with any special character included

Example First name 'Joanna', last name 'Harris', or username 'actualadvicemallard92' in full are not allowed to be included in a customer's password.

Password guessing avoidance also looks at

  • the alphanumeric strings within

    • usernames
    • first names
    • last names

    separated by special characters ($%&'()[email protected]^_`'{}~) that are longer than three characters and forbids their use in a password.

Example Username 'actual.advicemallard_007' is separated by two special characters into three parts. Password guessing avoidance will not allow 'actual' and 'advicemallard' in a password since those are longer than three characters, but '007' is OK to add in the password.

📘

Password guessing avoidance is case insensitive which means that changing the letter case will still not allow customers to include forbidden strings in passwords.