changepassword

Password Quality in Domino

Have you ever wondered what characteristics contribute to the Domino password quality? With so many devices to keep us connected no matter where we are at; coupled with a password for every blog, social media site, secure site, and countless others it’s easy to see why people get tired of remembering passwords. With so many passwords to remember many people often choose the easiest route possible. If you are interested in statistics of how many people use the Internet, have and use specific devices, and how much data is consumed Julie Bort has an interesting post based on Cisco’s predictions found here.

Enough of that, let’s get back to Domino. In several interactions I’ve had with users and clients password quality has raised several questions. What makes up the quality requirements? Why won’t it take my password? What are the right settings for my environment? Katherine Spanbauer and Christie Williams from IBM put together a great article concerning understanding password quality.

Here are two things I wanted to specifically point out from this article (I copied this straight from the article.

First: Develop rules for users

Users appreciate guidance in what will constitute an acceptable password, but the algorithm was not designed to adhere to a precise set of rules. However, if administrators understand the algorithm formula as described above, they should be able to define rules that fit their policies and the password quality algorithm, if they choose to do so.

For example, here are some sample password rules about what is considered acceptable for several password quality ratings. Note that these rules may actually exceed the minimum quality required, in order to be conservative. Remember that in addition to the following, single words from the dictionary should always be avoided and special characters located in the first and last position may not be sufficient to pass the algorithm’s test.

Rules for a quality rating of 6:

  • Choose a password that contains at least six characters and includes at least one of the following: number, mixed case, punctuation.
  • Choose a password that contains at least six characters and that does not include a single word from the dictionary.

Rules for a quality rating of 8:

  • Choose a password that contains at least six characters and that includes at least two of the following: number, mixed case, punctuation.
  • Choose a password that contains at least seven characters and that includes one number and one uppercase letter.
  • Choose a password that contains at least eight characters and that includes at least one of the following: number, mixed case, punctuation.
  • Choose a password that contains at least eight characters and that does not include words from the dictionary.

Rules for a quality rating of 10:

  • Choose a password that contains at least eight characters and that includes at least two of the following: number, mixed case, punctuation.
  • Choose a password that contains at least ten characters and that includes at least one of the following: number, mixed case, punctuation.
  • Choose a password that contains at least 12 characters and that does not include words in the dictionary.

Remember that, as helpful as such rules are to users, passwords that don’t match the specific rules might still meet the required password quality rating.

Here is a table of passwords that meet each password quality rating in the password quality scale. We strongly recommend that users do not choose any of these examples as their actual passwords.

Password Quality Examples
3 dog
password
pwd
2d4
4 5786
atof
r2d2
5 d0gs
doGs
scAle
6 sCa1e
dogcat
pw46wp
7 cat7dog
catSrOK
8 tyughvbn
one21two
rt 7uj
9 one2 1two
onetwothree
10 pAssw0rd
pwd46dwp
11 winD39_BP
the way we were
12 PwD46dWp
rtyughjkbnml
GoneWithTheWind
13 Gone With The Wind
4891spyONu
14 tree forest grass rock
thedogisontheporch
15 thecathidesunderthebed
tdiotp&tchutb
16 thecowjumpedoverthemoon
thedishranawaywiththespoon
stream8pond1river7lake2oceanz

General guidance for users

In addition to rules, there are several tips you can give users that will help them in choosing passwords:

  • Avoid words that are in the dictionary as these create weaker passwords.
  • Include mixed case, numbers, and punctuation in the password. These increase the password’s strength.
  • You can make a password stronger without making it longer by avoiding words and/or breaking up alphabetic characters with numbers and punctuation. Using mixed case within strings of alphabetic characters is also helpful.
  • Use a passphrase rather than a password. A passphrase, such as a complete sentence, is difficult for an attacker to guess. Including misspelled words in the phrase makes it an even stronger password.

Second: Changing a previously registered user’s password quality setting

You can change a user’s password quality setting only when manually recertifying users. During manual recertification, a safe copy of the ID file is sent to the administrator to be recertified. This method allows settings within the ID file itself to be modified. The user then merges this safe copy into their ID files, accepting the ID file changes and the new certificate.

When recertifying users from the Person view of the Domino Directory (names.nsf), only the certificate is updated. When the user authenticates with their home server after recertification, their ID file is automatically updated with the new certificate.

Note that in the next release of Notes/Domino, Rnext, the use of policy documents will make changes to password quality settings more automated.

My Closing Thoughts

Hopefully this information clears up a few questions on what settings contribute to the quality of passwords used by Domino; it has helped me several times. Check out the security policy settings document mentioned at the end of the previous section. The Security Policy Settings Document I believe became available in R6. This policy document allows you to setup common rules for users. The Admin help located in the Help > Help Topics of the Domino Admin client or in the help9_admin.nsf database (or whatever version of domino you are running) contains valuable information on how to configure the settings for this security policy. Policies are a powerful way to make sure you stay consistent with settings across your environment.

securitypolicy