[jira] [Comment Edited] (NIFI-1466) Add password strength indicator to password properties

Thu, 03 May 2018 09:24:30 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-1466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16462710#comment-16462710
 ] 

Andy LoPresto edited comment on NIFI-1466 at 5/3/18 4:23 PM:
-------------------------------------------------------------

Troy Hunt's 
[haveibeenpwned.com|https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/]
 has introduced a service where suspect passwords can be compared to a list of 
known compromised passwords, helping users choose secure options. 


was (Author: alopresto):
Troy Hunt's 
[https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/|haveibeenpwned.com]
 has introduced a service where suspect passwords can be compared to a list of 
known compromised passwords, helping users choose secure options. 

> Add password strength indicator to password properties
> ------------------------------------------------------
>
>                 Key: NIFI-1466
>                 URL: https://issues.apache.org/jira/browse/NIFI-1466
>             Project: Apache NiFi
>          Issue Type: New Feature
>          Components: Core Framework
>    Affects Versions: 0.5.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>            Priority: Major
>              Labels: encryption, security
>   Original Estimate: 336h
>  Remaining Estimate: 336h
>
> In processor properties which accept a password, enforce minimum entropy 
> limits and provide real-time feedback as to the entropy estimate of the 
> password. This will have to be overridable (either locally or globally) for 
> backward compatibility, but we should require an explicit administrator 
> decision to do so. 
> Password "strength meters" and other such indicators are not perfect, but 
> they do provide an estimate of valuable feedback to users to encourage 
> stronger passwords. 
> Resources:
> * [NIST & CMU Paper on observed password entropy and recommendations for 
> user-friendly 
> restrictions|https://www.cylab.cmu.edu/research/techreports/2011/tr_cylab11008.html]
> * [J. Bonneau - Statistical metrics for individual password strength 
> (PDF)|http://www.jbonneau.com/doc/B12-SPW-statistical_password_strength_metrics.pdf]
> * [Sophos - Why you can't trust password strength 
> meters|https://nakedsecurity.sophos.com/2015/03/02/why-you-cant-trust-password-strength-meters/]
> * [zxcvbn - Dropbox Password Strength 
> Estimator|https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to