RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

RM Unify password policy
Published Date : 01 Nov 2017   Last Updated : 08 Oct 2021   Content Ref: TEC5943089  





More Information

Foreword
When logging on to RM Unify, the user provides a password to verify their identity. It is important for the password to be hard for others to guess, but easy for the user to remember. Based on a recent analysis, looking at six million leaked passwords (obtained by hackers targeting various large Internet companies), over 99.8% of them occur in the top 10,000 most common password list, with 91% being within the top 1000. The main takeaway from this is that, even in spite of today's password policies, end users repeatedly choose passwords that are easy for a hacker to guess.

Heuristics, not composition rules
Composition rules are the traditional approach to ensure that a user sets a good quality password. For example: two lower case characters, one upper case, one symbol, and a maximum password length of 16 characters. Composition rules give a false sense of security though. For example, P@55word is a common, easy to guess password that is accepted by many traditional password policies. Following the guidance of the UK and US governments' security agencies, RM Unify takes a different approach. Based on an open source research project from Dropbox.com, RM uses real world heuristics, derived from hacker techniques, to determine how strong a user's password really is. RM Unify uses a password strength checker that, in seconds, can calculate a password's 'crackability'. This takes into account:

  • Top 10,000 commonly used passwords
  • Common dictionary words
  • Common names in multiple languages
  • 'L33t' substitution, e.g., 3 for e, 4 for a, $ for s, @ for a
  • Keyboard spatial patterns, e.g., qwerty, 54321, zxcvbn

By deciding how 'crackable' a password is, RM Unify can ensure that your users' passwords meet a minimum threshold, making your passwords harder to guess.

Does this mean that passwords need to be long and hard to remember?
A 'hard to guess' password does not need to be a 'hard to remember' password. It is true that longer passwords are generally harder to crack, but short passwords can potentially be stronger. A passphrase would be ideal, but another approach is to choose two uncommon words and separate them with a space or symbol, for example, 'jade_walk' or 'clap cow' (we recommend, however, that you do not use these as actual passwords!).


RM Unify password policies

There are two types of password policy in RM Unify:

  • RM Unify root password policy: A default password policy that is not customisable.
  • Establishment password policy: A customisable password policy.

Establishment password policy
From the RM Unify Management Console password policy page, a super admin is able to customise their establishment's own password policy for each user type, allowing different strengths to be set on a scale of 1-5, where 1 is very weak (and not recommended) and 5 is very strong:

Strength

Friendly name

1

Very weak (not recommended)

2

Weak

3

Moderate

4

Strong

5

Very strong

An acceptable default strength threshold is set for each user type and is also set slightly lower for students than for other user types; this class of user is not able to remember long passwords and also has limited access to sensitive data. Students in Reception to Year 6 are able to have the lowest threshold possible, but RM does not recommend this. We would instead encourage you to use the maximum strength possible for each user type.

Role Default strength Maximum strength Minimum strength

Administrators (all)

4

5

4

Teaching Staff

3

5

3

Non Teaching Staff

3

5

3

Other

3

5

3

Governor

3

5

3

Parent

3

5

3

Students (no year group applied)

2

5

2

Students (Year 7 - 13)

2

5

2

Students (Reception - Year 6)

2

5

1 (not recommended)

The establishment password policy is not inheritable from parent to child sites, i.e. a password policy configured on a parent establishment is not inherited by child establishments*.

The establishment password policy applies to users when they are changing their own RM Unify password. Please see the scenarios below to understand which password policy applies in each of the password change scenarios.

*RM can configure this on request for multi-site academy trusts. Please contact your RM Account Manager for further information. 


Scenarios for password changes

  • When a user changes their own password through RM Unify
    The Change Password page gives instant feedback on the strength of the password and will not accept the password if it doesn't meet the root or establishment (if configured) password policy applied to their RM Unify account. This real-time feedback to the user on the quality of their password encourages less predictable passwords, and aims to help educate users on good password hygiene.
  • Passwords synced to the cloud from RM Unify Network Provisioning
    When RM Unify receives a password change in the cloud via the RM Unify Network Agent (aka Network Provisioning), it is evaluated using RM Unify's root password policy. If the password does not meet the password policy, this will be shown in the User Audit in Management Console (screenshot below) and the user's password will not be updated in RM Unify. This will result in the local AD and RM Unify passwords being out of sync.
Image showing 'Password Change Detected' message

  • Passwords synced to the cloud from RM Unify AD Sync
    As long as the password meets the local network password policy, RM Unify will accept any password received from AD Sync. Setting an RM Unify password policy in this scenario will have no effect on AD Sync provisioned accounts; the network policy will always take precedence
     
    RM Unify has sophisticated safeguards to detect multiple attempts to guess a password and to prevent unauthorised access - please see Other Useful Articles below. However, it is also good practice for schools to assess their own local network password policy when syncing accounts to any cloud service, not just when syncing to RM Unify. 
  • User passwords set by an RM Unify privileged user
    Where an RM Unify privileged user (RM Unify Super Admin, RM Unify Password Admin or RM Unify user with the Teaching Staff role) is changing another user's password, the heuristics based rules are not applied. In these scenarios it is assumed that the privileged user is aware of the need for complex and secure passwords, and so feedback on the complexity requirements is of less concern, and the password will be changed at next logon. The only limitation is that the password chosen by the privileged must be at least four characters long. The 'User must change their password' box is ticked by default.

What if you really want to use composition rules?
We are sorry, but RM Unify cannot enforce composition rule based password policies. The UK Government and the entire tech industry alike have agreed that heuristic based policies, like those in action in RM Unify, are best practice.

More information
NIST is the US government's National Institute for Standards and Technology and is the world authority on authentication best practice. For more information on their recommendation to eschew composition rules, see section 5.1.1.2: https://pages.nist.gov/800-63-3/sp800-63b.html#memorized-secret-verifiers.

The UK's National Cyber Security Centre (NCSC) provides further information on why it now advises against forcing regular password expiry:
https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

For more information on the approach we use, we recommend watching this presentation from Dan Wheeler (Dropbox): https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler.

To have a play with the Zxcvbn approach and see how it classifies different passwords, try the test site here:
https://lowe.github.io/tryzxcvbn/



Other Useful Articles

RM Unify - Error "You can't sign in because your account has been temporarily locked due to several incorrect sign in attempts" (TEC5181451)

FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: unify, password, policy, requirements, detected, ignoring, TEC5943089


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page