Gatekeeper and password policies

January 8, 2021
By Lukas Reschke

"Your password needs to contain a non-alphanumeric character and two upper-case characters."

Most people probably have seen such an error message before when trying to change their password somewhere. And the usual reaction ends up just adding some special characters such as exclamation marks at the end of the password.

The story behind password policies

In 2004 the National Institute of Standards and Technology (NIST) published a guideline for secure passwords in "Special Publication 800-63 Version 1.0". Stating rules such as:

"composition rules that typically require users to select passwords that include lower case letters, upper case letters, and non-alphabetic symbols"

Ultimately, software vendors followed suit by adding absurd configuration flags inside their systems, allowing you to configure how many unique characters of which type are required. Enterprises saw this and now started demanding it from all possible vendors. If your software didn't support it, companies would just now buy from you.

Realistically, this didn't increase the security level of the system. Instead of "password", people now would choose "Password1!".

In 2017, NIST realized this and published "800-63B", moving away from recommendations of regular password changes and password composition requirements. They were instead advising towards checking against breached or weak passwords and a minimum password length.

How Gatekeeper uses password policies

We believe in making software as easy to use as possible and coming with sane security defaults. There is barely any valid reason why organization A would require one more special character than organization B.

In terms of password checks, this means that Gatekeeper will come with a hard-coded password policy. There is no configuration required on your end, and Gatekeeper will automatically follow current best practices.

Gatekeeper will make users aware when their passwords are not deemed secure. Such as by being not long enough or having been breached earlier.

User enters a too short password: Screenshot of Gatekeeper when a password is not long enough

User enters a breached password: Screenshot of Gatekeeper when a password is not unique enough

User enters a secure password: Screenshot of Gatekeeper when a password is ok

Read next

Previous Post: User provisioning in 2020

See also

Gatekeeper in a Snap

As described in our earlier post: “SaaS ate the world.”. You don’t need to bother with long installation processes, backups, let alone deploy updates timely. How can we get to a state in which on-premise software can compete with this?

Read more

Why is there a need for Gatekeeper?

I wrote down some of the reasons for the creation of the Gatekeeper project. Gatekeeper aims to be an open-source Identity Access Management solution, done in a way that anyone can run it.

Read more