-
Notifications
You must be signed in to change notification settings - Fork 25
Password policy
Greg Walker edited this page Apr 2, 2019
·
1 revision
Passwords used in eAPD are checked for a minimum strength using zxcvbn. zxcvbn uses algorithmic complexity checks along with comparisons to common or widely-compromised passwords to compute a strength score. eAPD requires a score of 3 or higher, which zxcvbn describes as "safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)".
In addition, eAPD adopts the following policies:
- Passwords must be case sensitive
- Passwords may contain any combination of any characters, provided it satisfies the complexity requirement. The NIST 800-63 FAQ explains why we should not impose character composition requirements on passwords.
- The eAPD app will allow users to view their password to confirm they've typed what they intended.
- CMS will require users to change their passwords if there is evidence that their accounts or the eAPD database have been compromised. CMS will not otherwise require periodic password changes.
- Team Working Agreement
- Team composition
- Workflows and processes
- Testing and bug filing
- Accessing eAPD
- Active Documentation:
- Sandbox Environment
- Glossary of acronyms
- APDs 101
- Design iterations archive
- MMIS Budget calculations
- HITECH Budget calculations
- Beyond the APD: From Paper to Pixels
- UX principles
- User research process
- Visual styling
- Content guide
- User research findings
- eAPD pilot findings
- User needs
- Developer info
- Development environment
- Coding Standards
- Development deployment
- Infrastructure Architecture
- Code Architecture
- Tech 101
- Authentication
- APD Auto Saving Process
- Resetting an Environment
- Hardware Software List
- Deploying Staging Production Instances Using Scripts
- Terraform 101 for eAPD
- Provisioning Infrastructure with Terraform
- WebSocket basics
- Operations-and-Support-Index
- Single Branch Deployment Strategy
- Ops and Support Overview
- Service Level AOI
- Incident Response Plan
- On-Call Policy
- Infrastructure Contingency Plan
- Updating CloudFront Security Headers
- Requesting and Installing TLS Certificates