Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Detects Weak and Leaked Passwords in Real-Time
42 views
Skip to first unread message
Yoann Traut (RCDevs)
Oct 30, 2024, 5:02:59 AM10/30/24
to RCDevs Security
RCDevs' New Password Strength and Leak Detection Features
Recent versions of RCDevs WebADM, OpenOTP, and the Secure Password Reset applications now offer a feature to verify if a password is weak or has been compromised.
How Does It Work?
Through RCDevs' cloud infrastructure at cloud.rcdevs.com, accessible to WebADM servers via Freeware, Trial, or Enterprise licenses, a specialized micro-service checks passwords against a database of millions of known weak or leaked passwords. Each password in this database is hashed, ensuring secure data handling.
When WebADM requests a leak or weakness check for a user’s password, it follows these steps:
1. Hashing Process: The user’s password is hashed locally within WebADM, using the same algorithm as the micro-service.
2. Partial Hash Transmission: WebADM transmits only the first five hexadecimal characters of the password hash to the cloud service, providing an extra layer of security by sending only a fragment of the hash.
3. Match Verification: The micro-service returns a list of around 900 compromised hashes that match the first five characters of the transmitted hash fragment.
4. Leak or Weakness Confirmation: WebADM locally compares the complete hash with the returned list to determine if the password is compromised, ensuring the full password hash never leaves the WebADM environment.
What Happens Next?
If the password is confirmed to be weak or compromised:
- User Notification: The user is immediately notified.
- Administrator Notification: WebADM administrators receive an alert.
- Password Change Restrictions: The Password Reset application may deny the password change request.
Setting Up Password Verification Policies
At the client policy level in WebADM, you can enable various checks:
- Weak Detection: Use “Weak” to check if the password appears on blacklists of insecure passwords.
- Pwned Detection: Use “Pwned” to ensure the password hasn’t been leaked in data breaches.
- Policy Compliance: Use “Policy” to confirm the password adheres to the security policy configured within the Password Reset application.
OpenOTP Application Configuration Options
Within OpenOTP, WebADM administrators can enforce these verifications as follows:
- Global Weak Password Detection: Enable this feature to apply verification checks to all OpenOTP-authenticated logins.
- User Notifications: In the “User Notifications” settings, activate “Weak Password Notification” to send alerts via email or SMS when a password is found to be weak, leaked, or non-compliant.
- Automatic Password Reset Requests: Trigger a password reset request if a user’s password does not meet security requirements or appear as leaked.
- Account Blocking for Non-compliant Passwords: Set a maximum duration for weak, leaked, or non-compliant passwords, after which the account will be blocked if no update occurs. Administrators will also receive alerts when “Send Blocking Alerts” is enabled.
These new password security features enhance both user safety and administrative control, ensuring that only strong, uncompromised passwords are permitted.
Recent versions of RCDevs WebADM, OpenOTP, and the Secure Password Reset applications now offer a feature to verify if a password is weak or has been compromised.
How Does It Work?
Through RCDevs' cloud infrastructure at cloud.rcdevs.com, accessible to WebADM servers via Freeware, Trial, or Enterprise licenses, a specialized micro-service checks passwords against a database of millions of known weak or leaked passwords. Each password in this database is hashed, ensuring secure data handling.
When WebADM requests a leak or weakness check for a user’s password, it follows these steps:
1. Hashing Process: The user’s password is hashed locally within WebADM, using the same algorithm as the micro-service.
2. Partial Hash Transmission: WebADM transmits only the first five hexadecimal characters of the password hash to the cloud service, providing an extra layer of security by sending only a fragment of the hash.
3. Match Verification: The micro-service returns a list of around 900 compromised hashes that match the first five characters of the transmitted hash fragment.
4. Leak or Weakness Confirmation: WebADM locally compares the complete hash with the returned list to determine if the password is compromised, ensuring the full password hash never leaves the WebADM environment.
What Happens Next?
If the password is confirmed to be weak or compromised:
- User Notification: The user is immediately notified.
- Administrator Notification: WebADM administrators receive an alert.
- Password Change Restrictions: The Password Reset application may deny the password change request.
Setting Up Password Verification Policies
At the client policy level in WebADM, you can enable various checks:
- Weak Detection: Use “Weak” to check if the password appears on blacklists of insecure passwords.
- Pwned Detection: Use “Pwned” to ensure the password hasn’t been leaked in data breaches.
- Policy Compliance: Use “Policy” to confirm the password adheres to the security policy configured within the Password Reset application.
OpenOTP Application Configuration Options
Within OpenOTP, WebADM administrators can enforce these verifications as follows:
- Global Weak Password Detection: Enable this feature to apply verification checks to all OpenOTP-authenticated logins.
- User Notifications: In the “User Notifications” settings, activate “Weak Password Notification” to send alerts via email or SMS when a password is found to be weak, leaked, or non-compliant.
- Automatic Password Reset Requests: Trigger a password reset request if a user’s password does not meet security requirements or appear as leaked.
- Account Blocking for Non-compliant Passwords: Set a maximum duration for weak, leaked, or non-compliant passwords, after which the account will be blocked if no update occurs. Administrators will also receive alerts when “Send Blocking Alerts” is enabled.
These new password security features enhance both user safety and administrative control, ensuring that only strong, uncompromised passwords are permitted.
Reply all
Reply to author
Forward
0 new messages