Password strength constraints in Kentik Portal
As Kentik's user base constantly increases, our engineering team is spending a proportionally increasing amount of time evaluating ways to harden the platform's security aspects.
In our ongoing quest towards SOC2 compliance, we recently increased our user password strength stance, please read on to learn more.
Disclaimer: good passwords are not enough
While this feature update is largely focused on how we now incentivize users to select stronger passwords, Kentik recommends to their security-focused users that rely in priority on stronger mechanisms than plain password auth:
- 2Factor authentication (2FA), whether TOTP Authenticators or YubiKeys
- Better yet, SAML2 centralized SSO (Single Sign-On) platforms which themselves require 2FA
Initial phase: managing password strength
Password strength is one of the more common measures to harden security around SaaS-based services - it isn't sufficient in itself, but it is necessary. Starting now, users will be required to use a password that complies to a minimum strength level, which we have decided to evaluate using a publicly accessible library named ZXCVBN:
Our choice for the password strength library was largely based on this article here: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler
This constraint for now applies to two types of users:
- New users at account activation time
- Existing users going through the "Forgot Password" steps
This password evaluation step will show up in the login interface as displayed below
- No strength
As long as the minimum password strength is not met, the [Set Password] button will be disabled and will exhibit the following alert tooltip:
Until a satisfactory password strength level is met, advice will be displayed below the input field guiding the user toward a stronger one.
This advice is based on a variety of factors such as length, variety of characters, dictionaries of common nouns used, l33tspeak…
Additionally, when resetting your password, it can not contain any of the previous 5 values, else the following will be displayed:
Next Up, password rotation
While dependent on the SOC2 assessor, password rotation is also one of the common demands around password security.
Therefore, the next phase will consist in having password-only users reset their passwords at regular intervals (90 days by default). We will at this point do the following:
- Allow SuperAdmin users to set a different frequency
- 2FA and SSO users will be exempt from such requirements, as they already rely on strong authentication mechanisms.
This change should happen before April 2023 and will be additionally signaled to the impacted users in-product before being rolled out.