Project:Infrastructure/Server-side password policy

From Gentoo Wiki
Jump to:navigation Jump to:search
Warning, this page is a work in progress by MGorny (talk | contribs). Treat its contents with caution.

This page provides information on using password authentication in Gentoo services.

Requirements

When deploying services using password authentication to Gentoo users, please:

  • Do not ever send or display the user's password.
    • When implementing password recovery, use a temporary token that requires the user to set a new password immediately.
  • Do not try to enforce strong passwords. Advising is good but forcing usually gives opposite results.
    • Instead of enforcing password length or character classes, provide a good password strength meter (very long lowercase passwords are also strong) and warn people about weak passwords. Trying to enforce additional character classes usually results in predictably weak passwords, e.g. ending with 1!.
    • Suggest periodic rotation but do not force it. Attempting to force it usually results in users setting the same password again.
    • Do not ever force random passwords. Enforcing passwords users can't remember results in them being written down.
  • Do not store passwords directly. Instead, use a key derivation scheme with salt (Argon2, PBKDF2, or at least a strong salted hash).
  • Prefer challenge-response authentication methods to sending the password or its direct derivative (e.g. SCRAM).
  • Always require TLS (or a similar method enforcing encryption and server authentication) when performing authentication.
    • When the authentication needs to happen over unsecured media, challenge-response methods are required.
  • Provide two-factor authentication support.
    • Warn the user (e.g. by sending an e-mail) shortly after successful password login is not followed by a successful second factor authentication.
  • If the service is expected to be used via scripts, provide API key support.
    • API keys should allow for restricted access scope.
  • Provide an audit log of login attempts along with a list of currently active sessions.
  • Throttle login attempts — temporarily block login after a few unsuccessful attempts.