Jump to content


How to check for weak passwords

Weak password

  • Please log in to reply
3 replies to this topic

#1 ITSupport-ORTEC

ITSupport-ORTEC

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 31 January 2019 - 02:35 PM

Hi,

I would like to know how I can determine which Perforce account uses a weak password?
We haven't applied password complexity rules (yet). We are finally switching over to authenticating with LDAP.
One of the first steps I want to do is determine which passwords are weak before I raise the server security level.
Do you know which command I can use to check if the password is weak?

Thanks in advance

#2 Sambwise

Sambwise

    Advanced Member

  • Members
  • PipPipPip
  • 782 posts

Posted 31 January 2019 - 06:38 PM

The actual password isn't stored in the Perforce database (by design) so you can't necessarily check a password's strength against an arbitrary metric after it's been set.

The server database tracks the known strength of each user's password as a flag.  A new password is evaluated against the strength criteria at the time that it's set, before being hashed for storage.  The "strength" flag is recorded in the db.user table; I don't think there's an end-user command to query it, but it's an easy thing to grep out of a checkpoint:

    https://www.perforce...schema/#db.user

I *think* this information will already be recorded for existing passwords, but I'd assume it gets zeroed out to the "unknown" state if you modify things like the "minlength" tunable.  I think it's also "unknown" if you have prehistoric client apps (like, more than 15 years old) because old versions of the protocol before 2003 or whenever password strength was implemented don't support strength checking, but the odds of any of those being in play seem pretty low at this point.

If you're switching over to LDAP, though, isn't this all about to be moot since everyone will be using their LDAP password instead of their current Perforce passwords?

#3 ITSupport-ORTEC

ITSupport-ORTEC

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 12 February 2019 - 03:16 PM

Hi Sambwise,

I apologize for the late reaction.

Yes, we are going to use LDAP. As I understand it, the server security level raise from * to 3 requires all Perforce users to have a strong password.

Your remark about the "strength" flag is something I can use.

Thanks.

#4 Sambwise

Sambwise

    Advanced Member

  • Members
  • PipPipPip
  • 782 posts

Posted 12 February 2019 - 04:16 PM

You don't need to make everyone reset their passwords in Perforce before switching to LDAP.  Just switch to LDAP and then they all will have to use their LDAP passwords to login.  There isn't going to be any sort of validation on the Perforce passwords as a precondition to switching off of them.  :)

If you weren't switching to LDAP, then going to security=3 would add a strength requirement to the Perforce passwords, but that takes the form of users being forced to set strong passwords *after* you've set security=3; you aren't blocked from changing the security level by the fact that users have weak passwords.  The point of increasing the security level is to force the issue.  But again, this is moot if you're using LDAP authentication.  The only impact of the security setting in that case is to force the use of login tickets (which is required precisely because the native Perforce passwords are no longer accepted).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users