dasharo-issues
dasharo-issues copied to clipboard
Dasharo
Propose password policy based on current standards
The problem you're addressing (if any)
The current password requirements are very strict and won't allow someone to use passphrases (because you need uppercase, lowercase, special, numeric, symbol(?) characters
It has been shown that strict password requirements cause people to re-use their passwords or use shorter ones because they simply can't remember so many complex strings of text, making their overall security lower: https://www.enzoic.com/blog/the-benefits-and-drawbacks-of-password-complexity-rules/
Describe the solution you'd like
Remove or loosen the password requirements
Where is the value to a user, and who might that user be?
People who use passphrases People who are okay with using less secure passwords
Describe alternatives you've considered
FIDO2 auth in setup menu?
Additional context
https://neal.fun/password-game/
The password requirement code was imported completely from edk2-platforms without much thought if we want to actually have these requirements
Not understanding the value of security, or being lazy, should never be a reason to weaken the security.
Personally, to make the password more memorable, I use $ instead of S or 3 instead of E or @ instead of a in casual words.
Secondly how often an average person needs to enter BIOS? Most likely the frequency is high right after buying the HW. But when settings are settled, one almost never enters BIOS setup. The password may be enrolled when one decides on the set of settings.
Even better idea: remove the setup password if the presence of such option causes such willingness to abuse its use.
And now we know which characters to include in the dictionary when bruteforcing your passwords ;)
And now we know which characters to include in the dictionary when bruteforcing your passwords ;)
Good luck. Except that I mainly use the generated passphrases from bitwarden-like apps
But in case like these where you need to memorize something, It may be good. And I just gave a few examples. There are more symbol I use, not necessarily in place of regular characters in words
Anyway, don't forget to send me a ransom, when you get to my bank account.
I guess I'll need to look for peer-reviewed studies showing the impact of password requirements here to show my point.
Password policy is very common topic, we should just look at existing standards, here are some references: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls
Maybe we should change the title of the issue to less-triggerring one, like "Propose password policy based on current standards" ;)
Not understanding the value of security, or being lazy, should never be a reason to weaken the security.
https://en.wikipedia.org/wiki/False_consensus_effect
Not understanding the value of security, or being lazy, should never be a reason to weaken the security.
https://en.wikipedia.org/wiki/False_consensus_effect
Sounds like something that can be applied to anything. So be it.
When is this issue planned to be implemented, i.e. when will Dasharo accept passphrases as USER or ADMIN password?
@BeataZdunczyk That should be not that difficult change, can we plan to include in the next releases?
Working on the issue here: https://github.com/Dasharo/edk2/pull/152 https://github.com/Dasharo/docs/pull/857
https://github.com/Dasharo/edk2/pull/152 https://github.com/Dasharo/docs/pull/857 PRs are merged, closing the issue.
@BeataZdunczyk @mkopec, @philipandag I do not understand whether DASHARO supports or does not support PASSPHRASES, because the screenshot mentions the old requirements (lowercase, uppercase, aplhabetic, number,...) while under this screenshot in the description it already mentions the requirement of lowercase letters only.
Screenshot wasn't updated, but password requirements were loosened to allow for passphrases
So. I'm waiting for replacement the screenshot until it is consistent with the description under it.