Weak password of 96 characters ?

Hi KoenT,

Show me a picture from Administration | Admin Settings | Administrator Password Complexity Settings. 

Thanks

I think these are the default settings.

Hi Koen, 

The default is disabled. I tested it on my test appliance, seems no issue. Make sure you have changed the default admin password to comply with the conditions in Administration | Device Access | Admin Password.

Note: XG will not allow a password that does not fulfill the conditions checked in the password complexity settings. Whenever a weak password is used they will receive an error:

Thanks

I'm sorry, but it seems I created some confusion.

With 'default ', I refered to the password complexity settings.

The password I put on the admin account is more than compliant with the complexity settings but I still receive an error message on the dashboard that the administrator account  is not safe.

KoenT,

I am also having this problem in SFOS 16.05.6 MR-6.  From trial and error I discovered that both of the following Password Complexity Checks work, but give a report that is incorrect. In Administartion/Admin Settings, under the Administrator Password Complexity Settings section:

 - Include at least 1 upper-case and 1 lower-case alphabetic character

 - Include at least 1 special character like '@', '$', '!', etc

If you check all of the Password Complexity Checks, when you change a administrator's password, it will not allow you to create a password that doesn't meet the criteria (so the complexity checks work in that regard), HOWEVER, you will now receive an alert that says "Some of the administrators have a weak password that does not conform to the password complexity settings. To change their password, Click Here", even thought the password DOES meet the criteria!

Clearly the password passed criteria, or it would not allow you to implement it.  Even with the same password, if you uncheck the 2 options listed above, the alert goes away.  If you check them again, the alert reappears.  Updating the password to another one that also meets the criteria also give the same alert.  It appears the alerting system is incorrect.

You might just suggest unchecking those two options to make the alert go away, but now you can enter a password that doesn't meet those criteria.  (i.e. 12345678 works if the length is set to 8).

Until this bug is fixed, you can either leave those settings off, or learn to live with the alert that will never go away.

KoenT,

I am also having this problem in SFOS 16.05.6 MR-6.  From trial and error I discovered that both of the following Password Complexity Checks work, but give a report that is incorrect. In Administartion/Admin Settings, under the Administrator Password Complexity Settings section:

 - Include at least 1 upper-case and 1 lower-case alphabetic character

 - Include at least 1 special character like '@', '$', '!', etc

If you check all of the Password Complexity Checks, when you change a administrator's password, it will not allow you to create a password that doesn't meet the criteria (so the complexity checks work in that regard), HOWEVER, you will now receive an alert that says "Some of the administrators have a weak password that does not conform to the password complexity settings. To change their password, Click Here", even thought the password DOES meet the criteria!

Clearly the password passed criteria, or it would not allow you to implement it.  Even with the same password, if you uncheck the 2 options listed above, the alert goes away.  If you check them again, the alert reappears.  Updating the password to another one that also meets the criteria also give the same alert.  It appears the alerting system is incorrect.

You might just suggest unchecking those two options to make the alert go away, but now you can enter a password that doesn't meet those criteria.  (i.e. 12345678 works if the length is set to 8).

Until this bug is fixed, you can either leave those settings off, or learn to live with the alert that will never go away.

Exactly the same behaviour in my case with 16.5 MR6... I've asked Sophos now for a Bug ID and Timeframe to solve.

Just to complete this case. There is a bug existing for this (Refer to BugID NC-19647 if you expire same Problems). Sophos is currently doing Complexity Check against Obfuscated Password and not Plaintext Password. It's planned to fix this in V17.

Hi All,

NC-19647 is resolved in v17, which is probably staged to release by October. 

Thanks

Thanks Christian. Appreciate it.

Hi,

This is fixed in v17 Beta releases but v17 Betas are only available for partners. I will confirm if it will be included in the further v17 GA releases. 

Thanks,

Hey Community,

To update this thread:

The fix for this issue was included in the v17.0 GA release and should indeed be resolved in further versions.

If you are continuing to experience similar symptoms, please raise a support case (PM me or sachingurung with your case number) and reference the ID NC-19647 for continued investigation.

Thanks,

The problem still exists. 

• SFOS 17.5.4 MR-4

Hi Christian Gauler 

Would it be possible to please raise a support case for further investigation of your issue and to PM me with your case details for follow up.

Thanks,

Hi All,

Sharing the development reference number related to Christian's issue for the benefit of any other users experiencing this password complexity alert in error (NC-47038).

• Alert: "Some of the administrators have a weak password that does not conform to the password complexity settings. To change their password, Click here"

This is currently scheduled to be resolved in SFOS v17.5.8 MR-8.

Regards,