10-01-2022 09:24 AM
I just tried to log into JumpCloud Community and was forced to change my password. For some reason the password requirement has shortened to 20 characters or less. I find it disturbing in this day and age that a site would reduce their password length, especially one focused on providing a directory service. I know that JumpCloud Community is a separate site from JumpCloud proper but it does have your name on it and therefor people relate it to you.
Please, for the sake of all that is security, don't restrict the length of passwords. Especially to 20 characters or less!!
Solved! Go to Solution.
10-03-2022 03:36 PM
I can request an update; I'm putting in a ticket to do so. It has to be handled on the backend, though, as it's not a setting I have access to. I'll let you know when the change is done.
Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.
10-10-2022 01:43 PM
Thanks for providing the additional info, @RNHurt. I received guidance from our internal team on this and for the time being, we bumped it up to 36 characters with the following, because that's what the vendor can do:
HOWEVER, I hear you and I'm not discounting your feedback. I wanted to at least increase password length for now and then go back and see if there are additional options to go even higher. I will come back with an additional update once I talk to Khoros and my internal team again.
Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.
10-03-2022 11:10 AM
I will check on that and thank you for bringing that to our attention!
Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.
10-03-2022 03:36 PM
I can request an update; I'm putting in a ticket to do so. It has to be handled on the backend, though, as it's not a setting I have access to. I'll let you know when the change is done.
Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.
10-06-2022 11:14 AM
In progress: updating to 36 characters with requirements around complexity as well.
Will post again once it's complete.
Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.
10-06-2022 12:38 PM
Ahhh.... that's good, however, those guidelines don't follow current NIST standards. Would it be possible to not have requirements around complexity and just bump up the length to something like 256?
However, additional research shows that requiring new passwords to include a certain amount of complexity can actually make them less secure. And that’s why NIST has also removed all password-complexity requirements from their guidelines.For example, many companies require that users include special characters, like a number, symbol, or uppercase letter, in their passwords to make them harder to decrypt.
Unfortunately, many users will add complexity to their password by simply capitalizing the first letter of their password or adding a “1” or “!” to the end. And while it technically does make a password more difficult to crack, most password-crackers worth their salt know users tend to follow these patterns and can use them to reduce the time needed to decrypt a stolen password.
Additionally, as password complexity increases, users tend to reuse passwords from account to account, increasing the risk that they could be the victim of a credential stuffing attack if one account is breached.
So instead of forcing users to create more complex passwords, ask them to create longer ones if you want to improve password security.
10-10-2022 01:43 PM
Thanks for providing the additional info, @RNHurt. I received guidance from our internal team on this and for the time being, we bumped it up to 36 characters with the following, because that's what the vendor can do:
HOWEVER, I hear you and I'm not discounting your feedback. I wanted to at least increase password length for now and then go back and see if there are additional options to go even higher. I will come back with an additional update once I talk to Khoros and my internal team again.
Like someone's post? Give them a kudo!
Did someone's answer help you? Please mark it as a solution.
New to the site? Take a look at these additional resources:
Ready to join us? You can register here.