This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Password Complexity Options

Secure Storage Master Key

I am very grateful that XG has the option to manage Administrator password complexity settings and User password complexity settings: /webconsole/webpages/index.jsp#74733

It is up to the site manager/admin to determine what the password policies are. Password strength can be managed in very different ways, and does not need to be "complex". Different people have different methods of managing password strength.

There are some issues however:

1./ Backup Encryption password and Secure Storage Master Key password require complexity and length settings that cannot be managed. The consequence is that the FORCED and SPECIFC complexity settings determined by Sophos are not consistent with our site management policy.

2./ It is unclear what the maximum password lengths are for Admin, User, Backup encryption, Storage Master Key are. And there is no information in the sidebar Sophos Assistant slideout.

3./ I could not find any table of which character codes are allowed/not allowed. With the requirement of "complexity" it encourages the use of accented characters, cyrillic characters and symbols. Non-US keyboards offer options that are at high risk of causing problems unless they are explicitly allowed. And I am just talking about keyboards in Europe, never mid Asia!

This thread was automatically locked due to age.

Top Replies

emmosophos over 3 years ago +3

Hello there, Thank you for contacting the Sophos Community. Currently when settings the SSMK it shows the following: For question number 3 the answer is in our documentation: !#$%&()*+,-./:;…

0 emmosophos over 3 years ago

Hello there,

Thank you for contacting the Sophos Community.

Currently when settings the SSMK it shows the following:

For question number 3 the answer is in our documentation:

!#$%&()*+,-./:;<=>?@[]^_`{|}~

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/CommandLineHelp/SystemSettings/ResetSSMK/index.html

I will ask internally about your question number 2 and get back to you once I hear back as I agree this should be documented, I believe it might be 120 the limit.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +3 Vote Down

Cancel
0 lemonadesoda over 3 years ago in reply to emmosophos

Many thanks for your reply Emmanuel.

For point 1./, as site manager, I would like to define the SSMK password complexity settings myself, just as I can the Admin and User password complexity settings. Currently, in SFOS v18/19, SSMK complexity settings are fixed and cannot be changed. Same point with Backup encryption password. It would be helpful to be consistent throughout SFOS. The added benefit to me is I can make SSMK compliant with OUR security policies. Offering the same options as below seems to be logical:

For point 2./ I welcome further info.

For point 3./ I am concerned, see screenshot below.

...I used a special character that is not on your approved list. There are others too. It was accepted.

a./ Will it work?

b./ Will it break on new upgrade of SFOS version?

c./ Will I lose access to my backups?

d./ Why can't I change SSMK though web interface? It seems I can only reset it via CLI; very convoluted

e./ If the term SSMK is the official acronym for Secure Storage Master Key, then SFOS search, and SFOS Sophos Assistant probably need updating to include the term.

For me, SSMK is adding an additional layer of risk. I don't need it. But it makes an additional hurdle to backups, while putting backups at risk of being lost, and the SSMK complexity rules are not properly defined yet. So, not wanted, more work, increases risk, open to change.
Cancel
Vote Up +1 Vote Down

Cancel
0 JasP over 3 years ago in reply to lemonadesoda

I'm glad you posted this lemonadesoda. I've just been through all our SSMKs and found one that has an invalid character (&).

Sophos, why isn't this being checked on input?
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 3 years ago in reply to lemonadesoda

Hello there,

I have also passed your feedback about the special character, but haven't got a reply yet, once I get one I will update the thread.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 3 years ago in reply to JasP

Hello JasP,

Thank you for reaching out.

& is a valid character to enter for the password, or you’re saying you’re using that one and it’sn’t taking it?

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 JasP over 3 years ago in reply to emmosophos

Just ignore me, I'm talking crap. You are quite correct, & is an allowed character but I didn't spot it in the list of allowed characters. I really don't understand why I didn't see it
Cancel
Vote Up 0 Vote Down

Cancel

Password Complexity Options

Top Replies

Submitted a Tech Support Case lately from the Support Portal?