Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 900 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Password Complexity Options

lemonadesoda

Secure Storage Master Key

I am very grateful that XG has the option to manage Administrator password complexity settings and User password complexity settings:  /webconsole/webpages/index.jsp#74733

It is up to the site manager/admin to determine what the password policies are.  Password strength can be managed in very different ways, and does not need to be "complex". Different people have different methods of managing password strength.

There are some issues however:

1./ Backup Encryption password and Secure Storage Master Key password require complexity and length settings that cannot be managed.  The consequence is that the FORCED and SPECIFC complexity settings determined by Sophos are not consistent with our site management policy.

2./ It is unclear what the maximum password lengths are for Admin, User, Backup encryption, Storage Master Key are.  And there is no information in the sidebar  Sophos Assistant slideout.

3./ I could not find any table of which character codes are allowed/not allowed.  With the requirement of "complexity" it encourages the use of accented characters, cyrillic characters and symbols.  Non-US keyboards offer options that are at high risk of causing problems unless they are explicitly allowed.  And I am just talking about keyboards in Europe, never mid Asia!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to emmosophos

    Many thanks for your reply Emmanuel.

    For point 1./, as site manager, I would like to define the SSMK password complexity settings myself, just as I can the  Admin and User password complexity settings. Currently, in SFOS v18/19, SSMK complexity settings are fixed and cannot be changed.  Same point with Backup encryption password.  It would be helpful to be consistent throughout SFOS.  The added benefit to me is I can make SSMK compliant with OUR security policies. Offering the same options as below seems to be logical:

    For point 2./ I welcome further info.

    For point 3./ I am concerned, see screenshot below.

    ...I used a special character that is not on your approved list. There are others too. It was accepted. 

    a./ Will it work?

    b./ Will it break on new upgrade of SFOS version?

    c./ Will I lose access to my backups?

    d./ Why can't I change SSMK though web interface? It seems I can only reset it via CLI; very convoluted

    e./ If the term SSMK is the official acronym for Secure Storage Master Key, then SFOS search, and SFOS Sophos Assistant probably need updating to include the term.

    For me, SSMK is adding an additional layer of risk. I don't need it. But it makes an additional hurdle to backups, while putting backups at risk of being lost, and the SSMK complexity rules are not properly defined yet. So, not wanted, more work, increases risk, open to change. 

  • 0 in reply to lemonadesoda

    I'm glad you posted this . I've just been through all our SSMKs and found one that has an invalid character (&).

    Sophos, why isn't this being checked on input?

  • 0 in reply to lemonadesoda

    Hello there,

    I have also passed your feedback about the special character, but haven't got a reply yet, once I get one I will update the thread.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to JasP

    Hello JasP,

    Thank you for reaching out.

    & is a valid character to enter for the password, or you’re saying you’re using that one and it’sn’t taking it?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Just ignore me, I'm talking crap. You are quite correct, & is an allowed character but I didn't spot it in the list of allowed characters. I really don't understand why I didn't see it Disappointed

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?