Password Parameters
Hi there, I would like to point out that the password complexity requirements for our users who do not and cannot use SSO (single sign-on) recently underwent a significant change without any notifications being sent to the admins of the Workiva tool. This is unacceptable as we maintain specific password complexities to abide by our company's security policies. I'm sure you can understand that modifications that directly impact the ability to access our data are highly sensitive, even if they were only made to restrict our ability to control these complexities internally. Not only has our ability to change these complexities been disabled, but the only remaining complexity that appears to be in place is to require passwords to be 16 characters. This is a significant reduction in the quality of passwords required by our users and we believe this should have been communicated to admins of the tools Workiva offers prior to this going into effect. Any insight that can be provided around the reasoning for this change would be helpful, as typically we see enhancements in complexity requirements rather than them becoming less secure. Thanks in advance for your time!
-
Hi Alexandra,
My name is Michael Ibekie, and I'm the Product Manager for Identity and Access Manager at Workiva.
I'm sorry to hear about your experience with the new password change. Workiva underwent the password security upgrade in order to align more closely with OWASP Application Security Verification Standard 4.0 Please see page 21.
A few months running up to the the rollout, we communicated to our customers via the Workiva Community post. I'm sorry the message may have falling through the cracks as you weren't aware of it.With all that said, I'd like to learn more about your experience and see what we can do to resolve your company's concerns. If you'd like to reach out to me directly at michael.ibekie@workiva.com, we can set up a call.
Do let me know.
Cheers,
Michael0Hi Michael,
Thanks so much for following up. We've been in touch with our customer success manager and have shared our concerns and internal password security policy with him. Of course, if any questions remain open I'll be sure to reach out. Thanks for the quick response and for providing the link to OWASP. I'll be honest and say we've never heard of this nonprofit foundation before but I know we rely on the digital identity requirement set forth by the National Institute of Standards and Technology (NIST), which is put out by the US Department of Commerce. https://pages.nist.gov/800-63-3/sp800-63b.html
0Accedi per aggiungere un commento.
Commenti
2 commenti