Foreword
When logging on to RM Unify, the user provides a password to verify their identity. It is important for the password to be hard for others to guess, but easy for the user to remember. Based on a recent analysis, looking at six million leaked passwords (obtained by hackers targeting various large Internet companies), over 99.8% of them occur in the top 10,000 most common password list, with 91% being within the top 1000. The main takeaway from this is that, in spite of today's password policies, end users repeatedly choose passwords that are easy for a hacker to guess.

Heuristics, not composition rules
Composition rules are the traditional approach to ensure that a user sets a good quality password. For example, two lower case characters, one upper case, one symbol and a maximum password length of 16 characters. Composition rules give a false sense of security though. For example, 'P@55word' is a common and easy to guess password that is accepted by many traditional password policies. Following the guidance of the UK and US governments' security agencies, RM Unify takes a different approach. Based on an open source research project from Dropbox.com, RM uses real world heuristics derived from hacker techniques to determine how strong a user's password really is. RM Unify uses a password strength checker that, in seconds, can calculate a password's 'crackability'. This takes into account:

• Top 10,000 commonly used passwords
• Common dictionary words
• Common names in multiple languages
• 'L33t' substitution, e.g. 3 for e, 4 for a, $ for s, @ for a
• Keyboard spatial patterns, e.g. qwerty, 54321, zxcvbn

By deciding how 'crackable' a password is, RM Unify can ensure that your users' passwords meet a minimum threshold, making your passwords harder to guess.

Does this mean that passwords need to be long and hard to remember?
A 'hard to guess' password does not need to be a 'hard to remember' password. It is true that longer passwords are generally harder to crack, but short passwords can potentially be stronger. A passphrase would be ideal, but another approach is to choose two uncommon words and separate them with a space or symbol, for example, 'jade_walk' or 'clap cow' (we recommend, however, that you do not use these as actual passwords!).

There are two types of password policy in RM Unify:

• RM Unify root password policy: A default password policy that is not customisable.
• Establishment password policy: A customisable password policy.

Establishment password policy
From the RM Unify Management Console password policy page, a super admin is able to customise their establishment's own password policy for each user type, allowing different strengths to be set on a scale of 1-5, where 1 is very weak (and not recommended) and 5 is very strong:

Strength	Friendly name
1	Very weak (not recommended)
2	Weak
3	Moderate
4	Strong
5	Very strong

An acceptable default strength threshold is set for each user type and is also set slightly lower for students than for other user types; this class of user is not able to remember long passwords and also has limited access to sensitive data. Students in Reception to Year 6 are able to have the lowest threshold possible, but we do not recommend this. We would instead encourage you to use the maximum strength possible for each user type.

Role	Default strength	Maximum strength	Minimum strength
Administrators (all)	4	5	4
Teaching Staff	3	5	3
Non Teaching Staff	3	5	3
Other	3	5	3
Governor	3	5	3
Parent	3	5	3
Students (no year group applied)	2	5	2
Students (Year 7 - 13)	2	5	2
Students (Reception - Year 6)	2	5	1 (not recommended)

The establishment password policy is not inheritable from parent to child sites, i.e. a password policy configured on a parent establishment is not inherited by child establishments*.

The establishment password policy applies to users when they are changing their own RM Unify password. Please see the scenarios below to understand which password policy applies in each of the password change scenarios.

*We can configure this on request for multi-site academy trusts. Please contact your RM Account Manager for further information. 

• When a user changes their own password through RM Unify
  The Change Password page gives instant feedback on the strength of the password and will not accept the password if it doesn't meet the root or establishment (if configured) password policy applied to their RM Unify account. This real-time feedback to the user on the quality of their password encourages less predictable passwords and aims to help educate users on good password hygiene.
  
• Passwords synced to the cloud from RM Unify Network Provisioning
  When RM Unify receives a password change in the cloud via the RM Unify Network Agent (aka Network Provisioning), it is evaluated using RM Unify's root password policy. If the password does not meet the password policy, this will be shown in the User Audit in Management Console (screenshot below) and the user's password will not be updated in RM Unify. This will result in the local AD and RM Unify passwords being out of sync.

• Passwords synced to the cloud from RM Unify AD Sync
  As long as the password meets the local network password policy, RM Unify will accept any password received from AD Sync. Setting an RM Unify password policy in this scenario will have no effect on AD Sync provisioned accounts; the network policy will always take precedence
   
  RM Unify has sophisticated safeguards to detect multiple attempts to guess a password and to prevent unauthorised access - please see Other Useful Articles below. However, it is also good practice for schools to assess their own local network password policy when syncing accounts to any cloud service, not just when syncing to RM Unify. 
  
• User passwords set by an RM Unify privileged user
  Where an RM Unify privileged user (RM Unify Super Admin, RM Unify Password Admin or RM Unify user with the Teaching Staff role) is changing another user's password, the heuristics based rules are not applied. In these scenarios, it is assumed that the privileged user is aware of the need for complex and secure passwords. So, feedback on the complexity requirements is of less concern and the password will be changed at next logon. The only limitation is that the password chosen by the privileged must be at least four characters long. The 'User must change their password' box is ticked by default.

What if you really want to use composition rules?
We are sorry, but RM Unify cannot enforce composition rule-based password policies. The UK Government and the entire tech industry alike have agreed that heuristic-based policies, like those in action in RM Unify, are best practice.

More information
NIST is the US government's National Institute for Standards and Technology and is the world authority on authentication best practice. For more information on their recommendation to eschew composition rules, see section 5.1.1.2: https://pages.nist.gov/800-63-3/sp800-63b.html#memorized-secret-verifiers.

The UK's National Cyber Security Centre (NCSC) provides further information on why it now advises against forcing regular password expiry:
https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

For more information on the approach we use, we recommend watching this presentation from Dan Wheeler (Dropbox): https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler.

To have a play with the zxcvbn approach and see how it classifies different passwords, try the test site here:
https://lowe.github.io/tryzxcvbn/

When generating your MIS provisioned users' passwords for the first time via the Download Passwords page of the RM Unify Management Console, the passwords will always be eight characters in length, regardless of the password strength you have set for your users within the Password Policy settings page.

For example, if you were to set your Year 6 and below students to have the password policy of 1 (the weakest, accepting just a four-character password), the password generated via Download Passwords would still be an eight-character password. However, once the user logs in with the initial password, it could then be changed to a four- character password.