SSPR Wordlist allows variations of words in list to be used as passwords

  • 7014496
  • 31-Jan-2014
  • 06-Feb-2014

Environment

Self Service Password Reset
SSPR v 3.0.0.1
eDirectory environment

Situation

Words that are not exact matches but that simply contain words in the excluded word list can still be used as passwords. 
Enabling the SSPR wordlist does not exclude variations of words in the list
For example, if “password” is in the excluded list, “password123” can still be used

Resolution

Configure the excluded list in eDirectory, within the Universal Password policy instead of within SSPR.  Make sure SSPR is configured with “Merge Local and LDAP” for the Password Policy Source (Advanced).

Steps:
1. Uncheck the “enable wordlist” box in the SSPR Password policy (SSPR Config Editor, Settings, Password policy menu).   

2. Verify  that SSPR is configured with "Merge Local and LDAP" for the Password Policy Source.  This will result in the password settings from both SSPR and the NMAS Universal Password Policy being applied.  Specically, the NMAS list will be used for password exclusions.  

3. Add the desired words to the Universal Password policy exclude list. When a word is added to the excluded word list within the NMAS universal password policy, any password containing a word in the list is disallowed; e.g. if the list includes “Password,” both "Password" and "Password123" would be disallowed. 

Additional Information

This is working as designed. SSPR ships with an extremely large word list.  Excluding potential passwords that contain (but are not exact matches for)words in the list would make it very difficult for users to create a valid password.  For example, since the word "a" is in the SSPR wordlist any word containing the letter "a" would be excluded as a password. 

The NMAS universal password policy excluded word list does not come pre-populated, but is created one word at a time.  This results in relatively small word lists and users can still easily create valid passwords even though variations of words in the NMAS list are not allowed.  

Also note, as stated in the "Password Exclusions" section of the NMAS Password Management docs:

For NMAS 3.1.3 and later, the strings in the exclude list cannot be contained in the password, and the comparison is case-insensitive. For example, if "test" is in the exclude list, then the following cannot be passwords: Test, TEST, ltest, test1, and latest.
 
Keep in mind that password exclusions can be useful for a few words that you think would be security risks. Although an exclusion list feature is provided, it is not intended to be used for a long list of words, such as a dictionary. Long lists of excluded words can affect server performance. Instead of a long exclusion list to protect against "dictionary attacks" on passwords, we recommend that you use the Advanced Password Rules to require numbers to be included in the password.





Feedback service temporarily unavailable. For content questions or problems, please contact Support.