cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Why is the Community password length restricted to < 21 characters!?!?!

RNHurt
Novitiate III

I just tried to log into JumpCloud Community and was forced to change my password.  For some reason the password requirement has shortened to 20 characters or less.  I find it disturbing in this day and age that a site would reduce their password length, especially one focused on providing a directory service.  I know that JumpCloud Community is a separate site from JumpCloud proper but it does have your name on it and therefor people relate it to you.

Please, for the sake of all that is security, don't restrict the length of passwords.  Especially to 20 characters or less!!

2 ACCEPTED SOLUTIONS

BScott
Community Manager Community Manager
Community Manager

I can request an update; I'm putting in a ticket to do so. It has to be handled on the backend, though, as it's not a setting I have access to. I'll let you know when the change is done.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

View solution in original post

BScott
Community Manager Community Manager
Community Manager

Thanks for providing the additional info, @RNHurt. I received guidance from our internal team on this and for the time being, we bumped it up to 36 characters with the following, because that's what the vendor can do:

  • At least 12 characters
  • At least one lowercase letter
  • At least one uppercase letter
  • At least one number
  • No Repeating Characters

HOWEVER, I hear you and I'm not discounting your feedback. I wanted to at least increase password length for now and then go back and see if there are additional options to go even higher. I will come back with an additional update once I talk to Khoros and my internal team again.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

View solution in original post

5 REPLIES 5

BScott
Community Manager Community Manager
Community Manager

I will check on that and thank you for bringing that to our attention!

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

BScott
Community Manager Community Manager
Community Manager

I can request an update; I'm putting in a ticket to do so. It has to be handled on the backend, though, as it's not a setting I have access to. I'll let you know when the change is done.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

BScott
Community Manager Community Manager
Community Manager

In progress: updating to 36 characters with requirements around complexity as well. 

  • At least 12 characters
  • At least one lowercase letter
  • At least one uppercase letter
  • At least one number
  • At least one special character

Will post again once it's complete.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

Ahhh.... that's good, however, those guidelines don't follow current NIST standards.  Would it be possible to not have requirements around complexity and just bump up the length to something like 256?

 

 

However, additional research shows that requiring new passwords to include a certain amount of complexity can actually make them less secure. And thatโ€™s why NIST has also removed all password-complexity requirements from their guidelines.

For example, many companies require that users include special characters, like a number, symbol, or uppercase letter, in their passwords to make them harder to decrypt.

Unfortunately, many users will add complexity to their password by simply capitalizing the first letter of their password or adding a โ€œ1โ€ or โ€œ!โ€ to the end. And while it technically does make a password more difficult to crack, most password-crackers worth their salt know users tend to follow these patterns and can use them to reduce the time needed to decrypt a stolen password.

Additionally, as password complexity increases, users tend to reuse passwords from account to account, increasing the risk that they could be the victim of a credential stuffing attack if one account is breached.

So instead of forcing users to create more complex passwords, ask them to create longer ones if you want to improve password security.


 

BScott
Community Manager Community Manager
Community Manager

Thanks for providing the additional info, @RNHurt. I received guidance from our internal team on this and for the time being, we bumped it up to 36 characters with the following, because that's what the vendor can do:

  • At least 12 characters
  • At least one lowercase letter
  • At least one uppercase letter
  • At least one number
  • No Repeating Characters

HOWEVER, I hear you and I'm not discounting your feedback. I wanted to at least increase password length for now and then go back and see if there are additional options to go even higher. I will come back with an additional update once I talk to Khoros and my internal team again.

Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.

You Might Like

New to the site? Take a look at these additional resources:

Community created scripts

Keep up with Product News

Read our community guidelines

Ready to join us? You can register here.