BHillebrand Posted February 6, 2023 Share Posted February 6, 2023 Summary of Use case: MSP client insists on utilising a known Bad password, is unwilling/unable to change the password for operational reasons, but the password still requires documentation in Passwordstate by the MSP.Current Outcome: The only option in this scenario is to disable Bad passwords detection entirely for the whole password list, and this is a sub-optimal outcome that prevents us deriving any security benefit from the feature.Requested Feature: Short of blocking bad passwords, we'd like to be able to benefit from the Bad passwords feature by: * Having an option added for a Passwordstate user to notified when a Bad password is entered, but still allowing the user to save the password entry anyway. (IE: Choice to Block OR Notify) Link to comment Share on other sites More sharing options...
Goossens Posted February 7, 2023 Share Posted February 7, 2023 +1 Also: I'd rather have the current - bad - password stored in PasswordState (so that its quality and replacement can be monitored) than having it stored somewhere outside PasswordState. So, first securely store the bad password and then replace it by a good one (which can not always be done immediately). Link to comment Share on other sites More sharing options...
Dave Bennie Posted February 16, 2023 Share Posted February 16, 2023 Potential workaround I have delpoyed for sites we cannot control passwords for is a dedicated list, that allows poor passwords. This list requires reasons for the password being poor etc. Link to comment Share on other sites More sharing options...
BHillebrand Posted February 22, 2023 Author Share Posted February 22, 2023 On 2/16/2023 at 2:32 PM, Dave Bennie said: Potential workaround I have delpoyed for sites we cannot control passwords for is a dedicated list, that allows poor passwords. This list requires reasons for the password being poor etc. Yeah, that's what we're having to do, but it's a messy workaround to resort to. Mostly because it either results in a proliferation of lists (IE: Good password list and Bad password list for customers that want to use bad passwords on their sites) or we have one customer list and just disable the feature fully, which isn't great because our comfort with bad credentials used in an MFC pin code might not extend to other types of credentials etc. Link to comment Share on other sites More sharing options...
Mordecai Posted March 7 Share Posted March 7 +1 Link to comment Share on other sites More sharing options...
Ben Claussen Posted March 7 Share Posted March 7 +1 Link to comment Share on other sites More sharing options...
fecton.ernst.meinhart Posted March 20 Share Posted March 20 +1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now