Addition to Citi Standard Password length of 12 Characters

The following is a email communication from Robert to Steve in IBM, we still need a log-term solution to fix the 1 character password issue, see suggestion from Robert(Citi) below:

Thanks Steve.

We should be good with this workaround for now. I implemented this in Symphony SOE, and enabled it in our certification clusters for auditors to review.

With this workaround, the passwords are now managed only via KDC/LDAP backend, where the Citi passwords controls apply.

However, for an ultimate long-term solution we would like also to record an RFE for the other option discussed earlier.

To have a new variable in ego.conf, which would allow to express the passwords complexity requirement as an PCRE expression e.g.:

EGO_PASSWORD_REGEX= ^.{12,}$
or

EGO_PASSWORD_REGEX= ^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[-!@#$%^&*()_+=]).{12,}$
etc.

This solution would be flexible and future-proof, if Citi passwords policy changes in future.

Should we record this requirement under a separate RFE, or should we update SPCS-I-1092?

Regards,

- - -

Robert Nowotniak

In a discussion with Steve the following is discussed:

(From Steve Lee)

Hi Robert,

For case 1, I checked code. Currently in IBM Symphony uses regular expression in features like allowlist.conf (regular expression to control access of files) and static resource hostname. This might be the reason why pem has libpcre2 library linked into. Allowing a user to define a regular expression for password should be a completely new feature RFE request.

For case 2, as we discussed further earlier, porting EGO_DISABLE_ADMIN_ACCESS parameter in this case will not be sufficient because it won’t prevent a new user creation even if Admin is locked. Also, external plugin option (like Siteminder or PAM plugin which doesn’t authenticate against users.xml) will still allow a new user creation locally in users.xml, introducing EGO_LOCK_USERS_XML parameter should be a new parameter request as RFE.

To me, it looks like case 2 is more simpler and realistic option. Pls mention these details in the RFE ticket. If this RFE becomes urgent, we can convey to RFE team. Thank you.

From Steve he suggests case 2:

Hi Vijay,

 Since it is completely my opinion option 2 is simpler for implementation, please mention both option 1 and 2 in RFE ticket that either option is suffice to meet Citi password policy as RFE team may have different opinion. e.g. option 1 could be simpler from development team’s point of view than option 2. Thank you.

Regards,

Steve Lee

Software Support Specialist

Spectrum Conductor, Spectrum Symphony

IBM Cloud

Office: +1-905-316-2425

Please note this also applies to the SMC, we can change the password to a 1-character password. Please apply the password security standards to the SMC also. Thank you

Update:

Must be a 12 Character password

Passwords must contain characters with at least 3 out of the following 4 criteria:
 

• Uppercase letters.
• Lowercase letters.
• Base 10 digits (0 through 9).
• Non-alphanumeric characters (examples of special characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)​​​​​​​

Passwords must exclude:
 

• Adjacent keyboard patterns (i.e., 123, QWERTY)
• Single familiar words alone or with a number (i.e., Password, Citi2020)
• Common variations of words incorporating symbols (i.e., Pa55word)

ASAP, this needs to be done as Urgent, SEV1, as it’s a security risk.

This security finding for 1 character password is related to a higher insurance level - its related to the multi cluster project. This is High priority and we need to have this fixed as a matter of high priority.

What is the expected timeline for this?

Please advise this is urgent for our security team