You can specify a security policy for passwords that users must use to access the Acquia Cloud interface. The password security policy determines how strong (resistant to guessing) user passwords must be. When you establish a password strength policy, it applies to users when they sign in to the Acquia Cloud interface. It does not apply to your Drupal websites.
How Acquia judges password strength
In some other applications, password strength policies enforce rules such as: "Must include at least one number and an uppercase and a lowercase letter." This does not actually result in passwords that are hard to guess; for example, the password Passw0rd satisfies that rule, but is not a very strong password. Instead of that approach, the Acquia password strength system applies a combination of rules to rank how hard the password is to guess. It detects sequences within the password that are:
- Words that are found in a dictionary of common words, common first and last names, or common passwords.
- Words that are found in the dictionary, but with common 1337 or leet substitutions, such as 4 or @ for a, and 5 for s. These are treated as only slightly stronger than the words themselves.
- Common sequences of letters (abcde), numbers (12345), or characters near each other on a keyboard (qwerty).
- Three or more repeated characters.
- Dates or years, such as "1921" or "19-11-1978."
It also prohibits using your Acquia account's email address as your password.
For example, these are very weak passwords:
- mystrongpassword (dictionary words)
- el1z@b3th (common name, with leet substitutions)
- 11121957 (date)
- 9876598765 (sequence)
A password can rank as extremely strong even if it consists of only elements like those described here, as long as it contains enough distinct elements and is long enough.
For example, these are very strong passwords:
- correctdonkeybatterystaple (four dictionary words)
For inspiration, see this XKCD comic. For a method for creating strong passwords consisting of randomly chosen short words, see the the Diceware Passphrase Home Page and the Diceware article in Wikipedia.
How to set a password strength policy
To set a password strength policy, complete the following steps:
- Sign in to the Acquia Cloud interface with the Owner or Administrator role and select the application you want to work with.
- In the menu on the left side, click Security.
- On the Security settings page, click Edit to open the Edit security settings page.
- In the Minimum required password strength list, select the minimum required strength, from weak to very strong.
- Click Save.
The password strength levels are based both on the amount of entropy (randomness) in the password and an estimate of the amount of time it could take to crack passwords using a brute force attack. The estimated time to crack at each level is about two orders of magnitude greater than the next lower level, so a Weak password might take minutes to crack, while a Very strong password might take years. Of course, Moore's Law may apply.
How to transition to stricter password policies
After you enable a password strength policy, user passwords are tested for strength when the user attempts to access the subscription. If a password fails to meet the policy, the user is not permitted access and is prompted to change the password to one that satisfies the strength requirement of the policy.
As a user types a new password, the Acquia password policy system tests and reports the password's strength. When users create a password that does not satisfy the password strength policy, they receive an error message that indicates the strictness of the site's password strength policy and lists the tests that caused the password to be judged as too weak. For example:
The following issues were detected with your password:
* It is fewer than seven characters.
* It includes a dictionary word.
The Acquia Cloud interface is also protected from brute-force attacks by the following policies that limit how many sign-in attempts can be made:
- After three failed sign-in attempts within 30 minutes from a single user and IP address, that user name (email) and IP address combination is blocked from signing in for one hour.
- After 50 failed sign-in attempts in an hour from a single IP address, that IP address is blocked from signing in for one hour.