Similarity-Based Password Validator

This topic has 4 replies, 2 voices, and was last updated 4 years, 10 months ago by Mark Craig.

  • Author
    Posts
  • #15381
     sixart
    Participant

    Hi,

    I enable this password validator with “ds-cfg-min-password-difference: 3”, how to check if it works??

    Regards,
    Dario

    #15382
     Mark Craig
    Participant

    Hi,

    In the documentation for the Similarity Based Password Validator, https://backstage.forgerock.com/static/docs/opendj/3.5/configref/similarity-based-password-validator.html, there’s a description of how it works, and how you need to change the password policy configuration when you use it:

    it uses the Levenshtein Distance algorithm to determine the minimum number of changes (where a change may be inserting, deleting, or replacing a character) to transform one string into the other. It can be used to prevent users from making only minor changes to their current password when setting a new password. Note that for this password validator to be effective, it is necessary to have access to the user’s current password. Therefore, if this password validator is to be enabled, the password-change-requires-current-password attribute in the password policy configuration must also be set to true.

    #15405
     sixart
    Participant

    Hi Mark,

    thanks for reply.
    I set password-change-requires-current-password at true, for updating password with this configuration what kind of operation should I do client side??

    Regards,
    Dario

    #15624
     sixart
    Participant

    How test if this configuration work??

    Regards,
    Dario

    #15625
     Mark Craig
    Participant

    For example, update the Default Password Policy to use the default configuration of the Similarity-Based Password Validator. The default setting for min-password-difference is 3.

    Then try some examples.

    Confirm the initial password:

    # Babs Jensen's first password is hifalutin:
    $ ldapsearch -D uid=bjensen,ou=people,dc=example,dc=com -w hifalutin -p 1389 -b dc=example,dc=com uid=bjensen userPassword
    dn: uid=bjensen,ou=People,dc=example,dc=com
    userPassword: {SSHA}Ow5mYXV6uvB29dQJnQV3VSP/bAMEnERgHMZ3Kw==

    Check that a password modify with a very similar password fails:

    $ ldappasswordmodify -p 1389 --authzID dn:uid=bjensen,ou=people,dc=example,dc=com --currentPassword hifalutin --newPassword hifailutin
    The LDAP password modify operation failed: 19 (Constraint Violation)
    Additional Information:  The provided new password failed the validation
    checks defined in the server: The provided password differs less than the
    minimum required difference of 3 characters

    Try again with a password that differs by at least 3 characters:

    $ ldappasswordmodify -p 1389 --authzID dn:uid=bjensen,ou=people,dc=example,dc=com --currentPassword hifalutin --newPassword hifalutin123
    The LDAP password modify operation was successful
    • This reply was modified 4 years, 10 months ago by Mark Craig.
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?