Teams: enforce password complexity

Is there a way for team admins to enforce password complexity for team members? Our company has a policy requiring complex passwords I'm looking for an audit/enforcement strategy.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:enforce password complexity

Comments

  • Lars
    Lars
    1Password Alumni
    edited September 2017

    Hi @tommeeks -- thanks for the question! I'm tempted to ask how you enforce it currently, in the absence of any such software-enforced way of doing so, but that doesn't really answer your question. I'm not sure whether you meant enforcing complexity for team members' Master Passwords, or for passwords on accounts/logins they create for various other websites, etc.

    If it's the former (Master Passwords), there is a minimum limit of ten characters accepted for Master Passwords, and we disallow a few of the worst offenders in terms of very easy-to-guess passwords, such as password123 or aaaaaaaaaa or 0123456789. Beyond that, though, we don't enforce anything and there are no user- (or admin-)selectable controls over what Master Password a user chooses. The use of the Secret Key as a second encryption factor means that each actual encryption key used to encrypt a user's data in 1Password is at least 128 bits of entropy. To be clear, we still recommend users take the time to create a truly secure Master Password, but the Secret Key does provide a substantial amount of protection in this regard as well.

    If you were referring to the passwords a user might create for logins and store within 1Password, we don't currently have anything like that built into 1Password's Strong Password Generator, for a couple of reasons: first, in many cases, there's no way to guess the password requirements at various sites; each one is different. Sometimes users are made aware of the password recipe required on the sign-up page, and sometimes you're not told until you try using a password that violates the site's policy, at which point they'll show you what you did "wrong" (how are you supposed to know what's wrong if they don't tell you until after you did it?) and ask you to choose a different password. If an individual user were to run up against such an issue, they could simply adjust on the fly if necessary, but if you as an administrator on your company's 1Password Teams account chose to impose a password recipe of a certain specificity and it happened to violate some sites' password requirements, you'd be effectively preventing anyone on the team from signing up for the sites in question.

    Finally, the ease with which strong, secure passwords are generated using 1Password makes it actually easier for users to just use the SPG than to try to come up with something memorable but far less secure. One of the main ideas of 1Password is that if you make real security easier to use than whatever insecure method people are currently using, they will practice good security.

  • tommeeks
    tommeeks
    Community Member

    Thank you for your thoughtful explanation. Currently we are relying on voluntary compliance to our policy. I think I'll make it a task to review Watchtower for shared passwords that are weak. I appreciate your help, we love your product!
    Tom

  • @tommeeks: I'm glad Lars was able to help you out! As Lars mentioned, 1Password makes using good passwords easier, so I really hope that 1Password helps your users voluntarily comply with your policy. :+1:

    Thanks for the love and I hope you and your team continue to love 1Password for a long time to come. :chuffed:

  • PBAdams
    PBAdams
    Community Member

    Yes, I’d like to know if there is password policy enforcement in 1Password for business.

  • Hi @PBAdams

    I believe Lars answered this question here:

    https://discussions.agilebits.com/discussion/comment/391505/#Comment_391505

    If that post does not address your question could you please elaborate on what it is that you’re looking for?

    Ben

This discussion has been closed.