Symantec Access Management

 View Only
  • 1.  Advanced Password Policies using SHA-1 dictionaries

    Posted Aug 16, 2018 10:50 AM

    Dear CA SSO-Team,

    we want to strengthen the security of our CA IDM / CA SSO environment by introducing advanced password policies.

     

    We want to utilize a dictionary of real world passwords previously exposed in data breaches. These real exposed passwords are supplied by https://haveibeenpwned.com/Passwords as a ZIP file containing the SHA-1 hashes of passwords.

     

    Which ways exist to implement this in CA IDM and/or CA SSO?

     

    In additon we want to exclude some characters like underscores "_" and colons ":" in passwords.

     

    Kind regards,

    Gottfried



  • 2.  Re: Advanced Password Policies using SHA-1 dictionaries

    Broadcom Employee
    Posted Aug 16, 2018 01:17 PM

    Gottfried, CA SSO has Advanced Password Services, APS.

     

    APS Introduced - CA Single Sign-On - 12.7 - CA Technologies Documentation 

     

    You may be able to use the advanced grammar techniques and detection and APIs from that facility. Not following exactly what you want to do with exposed passwords.

    best, - Vijay



  • 3.  Re: Advanced Password Policies using SHA-1 dictionaries

    Broadcom Employee
    Posted Aug 16, 2018 05:21 PM

    It is possible to implement an "Invalid Password Dictionary" in APS, however it relies on a plain text password list.

    Invalid Password Dictionary - CA Single Sign-On - 12.7 - CA Technologies Documentation 

     

    Utilizing a SHA1 hash list would request custom work or an Enhancement Request to be opened.

    You would have to take the user's proposed password and generate a SHA1 hash. Then perform a look up of this hash against the downloaded list. 

     

    An additional concern would be performance depending on if you are performing the lookup only on Password changes or on every login for every user. Plus given the size of the database, a robust repository would be needed.

     

    As for excluding characters, this can also be achieved via APS using Disallowed Characters.

    Password Content Settings - CA Single Sign-On - 12.7 - CA Technologies Documentation 

     

    Hope this helps!