You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Andy LoPresto (JIRA)" <ji...@apache.org> on 2018/05/03 16:24:00 UTC

[jira] [Commented] (NIFI-1466) Add password strength indicator to password properties

    [ https://issues.apache.org/jira/browse/NIFI-1466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16462710#comment-16462710 ] 

Andy LoPresto commented on NIFI-1466:
-------------------------------------

Troy Hunt's [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/|haveibeenpwned.com] has introduced a service where suspect passwords can be compared to a list of known compromised passwords, helping users choose secure options. 

> Add password strength indicator to password properties
> ------------------------------------------------------
>
>                 Key: NIFI-1466
>                 URL: https://issues.apache.org/jira/browse/NIFI-1466
>             Project: Apache NiFi
>          Issue Type: New Feature
>          Components: Core Framework
>    Affects Versions: 0.5.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>            Priority: Major
>              Labels: encryption, security
>   Original Estimate: 336h
>  Remaining Estimate: 336h
>
> In processor properties which accept a password, enforce minimum entropy limits and provide real-time feedback as to the entropy estimate of the password. This will have to be overridable (either locally or globally) for backward compatibility, but we should require an explicit administrator decision to do so. 
> Password "strength meters" and other such indicators are not perfect, but they do provide an estimate of valuable feedback to users to encourage stronger passwords. 
> Resources:
> * [NIST & CMU Paper on observed password entropy and recommendations for user-friendly restrictions|https://www.cylab.cmu.edu/research/techreports/2011/tr_cylab11008.html]
> * [J. Bonneau - Statistical metrics for individual password strength (PDF)|http://www.jbonneau.com/doc/B12-SPW-statistical_password_strength_metrics.pdf]
> * [Sophos - Why you can't trust password strength meters|https://nakedsecurity.sophos.com/2015/03/02/why-you-cant-trust-password-strength-meters/]
> * [zxcvbn - Dropbox Password Strength Estimator|https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)