Enforcing password strength

You can specify a security policy for passwords that users must use to access your Acquia subscription. The password security policy determines how strong (resistant to guessing) user passwords must be. When you establish a password strength policy, it applies to users when they sign in to the Acquia user interface. It does not apply to your Drupal sites.

How Acquia judges password strength

In some other applications, password strength policies enforce rules such as: "Must include at least one number and an uppercase and a lowercase letter." This does not actually result in passwords that are hard to guess; for example, the password "Passw0rd" satisfies that rule, but is not a very strong password. Instead of that approach, the Acquia password strength system applies a combination of rules to rank how hard the password is to guess. It detects sequences within the password that are:

  • Words that are found in a dictionary of common words, common first and last names, or common passwords.
  • Words that are found in the dictionary, but with common "1337" or "leet" substitutions, such as 4 or @ for a, and 5 for s. These are treated as only slightly stronger than the words themselves.
  • Common sequences of letters (abcde), numbers (12345), or characters near each other on a keyboard (qwerty).
  • Three or more repeated characters.
  • Dates or years, such as "1921" or "19-11-1978."

It also prohibits using your Acquia account's email address as your password.

For example, these are very weak passwords:

  • mystrongpassword (dictionary words)
  • el1z@b3th (common name, with leet substitutions)
  • 11121957 (date)
  • 9876598765 (sequence)

A password can rank as extremely strong even if it consists of only elements like those described here, as long as it contains enough distinct elements and is long enough.

For example, these are very strong passwords:

  • correctdonkeybatterystaple (four dictionary words)
  • Drupal>Wordpress
  • 9a8b7c6d5e

For inspiration, see this XKCD comic. For a method for creating strong passwords consisting of randomly chosen short words, see the the Diceware Passphrase Home Page and the Diceware article in Wikipedia.

How to set a password strength policy

Only users who are subscription group administrators can set a password strength policy for your subscription. To set a password strength policy:

  1. Sign in to Acquia and click the Subscriptions tab.
  2. Select the subscription you want to configure.
  3. Click the Security tab for your subscription.
  4. Click the Edit link next to Security settings.
  5. Under Minimum required password strength, select the minimum required strength, from weak to very strong.
  6. Click Save.

Edit security settings

The password strength levels are based both on the amount of entropy (randomness) in the password and an estimate of the amount of time it could take to crack passwords using a brute force attack. The estimated time to crack at each level is about two orders of magnitude greater than the next lower level, so a Weak password might take minutes to crack, while a Very strong password might take years. Of course, Moore's Law may apply.

How to transition to stricter password policies

After you enable a password strength policy, user passwords are tested for strength when the user attempts to access the subscription. If a password fails to meet the policy, the user is not permitted access and is prompted to change the password to one that satisfies the strength requirement of the policy.

As a user types a new password, the Acquia password policy system tests and reports the password's strength. When users create a password that does not satisfy the password strength policy, they receive an error message that indicates the strictness of the site's password strength policy and lists the tests that caused the password to be judged too weak. For example:

The following issues were detected with your password:

  • It Is fewer than seven characters.
  • It includes a dictionary word.

Acquia subscriptions are also protected from brute-force attacks by policies that limit how many log-in attempts can be made. After five failed log-in attempts from a single user and IP address, that user name (email) and IP address combination is blocked from logging in for six hours. After 50 failed log-in attempts in an hour from a single IP address, that IP address is blocked from logging in.

Sign in to vote or comment