Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 29084 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Weak password of 96 characters ?

KoenT

Hello,

 

We created a security administrator to test (all roles).  Although the account is created with a password generator, 96 characters, maximum complexity the system reports : 

Are we doing something wrong please ? We are running SFOS 16.05.1 MR-1

 

Thanks !




[locked by: FloSupport at 12:53 AM (GMT -7) on 24 Apr 2019]
Parents
  • 0

    Hi KoenT,

    Show me a picture from Administration | Admin Settings | Administrator Password Complexity Settings. 

    Thanks

  • 0 in reply to sachingurung

    I think these are the default settings.

  • 0 in reply to KoenT

    Hi Koen, 

    The default is disabled. I tested it on my test appliance, seems no issue. Make sure you have changed the default admin password to comply with the conditions in Administration | Device Access | Admin Password.

    Note: XG will not allow a password that does not fulfill the conditions checked in the password complexity settings. Whenever a weak password is used they will receive an error:

    Thanks

  • 0 in reply to sachingurung

    I'm sorry, but it seems I created some confusion.

    With 'default ', I refered to the password complexity settings.

    The password I put on the admin account is more than compliant with the complexity settings but I still receive an error message on the dashboard that the administrator account  is not safe.

  • 0 in reply to KoenT

    KoenT,

    I am also having this problem in SFOS 16.05.6 MR-6.  From trial and error I discovered that both of the following Password Complexity Checks work, but give a report that is incorrect. In Administartion/Admin Settings, under the Administrator Password Complexity Settings section:

     - Include at least 1 upper-case and 1 lower-case alphabetic character

     - Include at least 1 special character like '@', '$', '!', etc

    If you check all of the Password Complexity Checks, when you change a administrator's password, it will not allow you to create a password that doesn't meet the criteria (so the complexity checks work in that regard), HOWEVER, you will now receive an alert that says "Some of the administrators have a weak password that does not conform to the password complexity settings. To change their password, Click Here", even thought the password DOES meet the criteria!

    Clearly the password passed criteria, or it would not allow you to implement it.  Even with the same password, if you uncheck the 2 options listed above, the alert goes away.  If you check them again, the alert reappears.  Updating the password to another one that also meets the criteria also give the same alert.  It appears the alerting system is incorrect.

    You might just suggest unchecking those two options to make the alert go away, but now you can enter a password that doesn't meet those criteria.  (i.e. 12345678 works if the length is set to 8).

    Until this bug is fixed, you can either leave those settings off, or learn to live with the alert that will never go away.

  • 0 in reply to Brent Sieling

    Exactly the same behaviour in my case with 16.5 MR6... I've asked Sophos now for a Bug ID and Timeframe to solve.

  • +1 in reply to HuberChristian

    Just to complete this case. There is a bug existing for this (Refer to BugID NC-19647 if you expire same Problems). Sophos is currently doing Complexity Check against Obfuscated Password and not Plaintext Password. It's planned to fix this in V17.

  • 0 in reply to HuberChristian

    Hi All,

    NC-19647 is resolved in v17, which is probably staged to release by October. 

    Thanks

  • 0 in reply to HuberChristian

    Thanks Christian. Appreciate it.

  • 0 in reply to sachingurung

    Hi,

    This is fixed in v17 Beta releases but v17 Betas are only available for partners. I will confirm if it will be included in the further v17 GA releases. 

    Thanks,

  • +1 in reply to sachingurung

    Hey Community,

    To update this thread:

    The fix for this issue was included in the v17.0 GA release and should indeed be resolved in further versions.

    If you are continuing to experience similar symptoms, please raise a support case (PM me or  with your case number) and reference the ID NC-19647 for continued investigation.

    Thanks,

  • 0 in reply to FloSupport

    The problem still exists. 

    • SFOS 17.5.4 MR-4
Reply Children