YouTrack Server 2022.3 Help

Set a Password Policy

With the Hub authentication module, you can set a password policy that is enforced every time users create or change the password for their YouTrack accounts.

When you set a password policy for YouTrack, you increase the overall security of your system:

  • Comply with minimum password requirements defined by your applications, systems, or organization.

  • Protect your YouTrack instance and connected services from brute-force attacks.

  • Provide users with guidelines that help them create strong passwords that are easy to remember.

Background Information

Computer users have to remember a number of passwords for multiple applications. You've probably been told several times to create a password that is unique and meets specific requirements. Like most people, you choose a pattern that you will remember the next time you log in. Unfortunately, these patterns are as obvious to password crackers as they are easy for you to remember.

The password policies supported by YouTrack help prevent users from creating weak passwords like these:

Password

Problem

letmein

Contains words or phrases that are commonly used as passwords.

aaaa1

Contains repeated characters.

abc123

Contains a logical sequence of characters.

1qaz2wsx

Contains characters that appear in a sequence on the keyboard.

P@ssw0rd1

Contains predictable substitutions, such as 3 for e, 0 for o, @ or 4 for a (l33t speak).

Entropy as a Measure of Password Strength

When you set a password policy, you determine the minimum entropy for passwords created by users that log in with Hub authentication. Stronger passwords have higher entropy.

Entropy is an estimation of the number of guesses needed to find a password, measured in entropy bits. Adding one bit of entropy to a password doubles the number of guesses required.

The following table demonstrates the exponential amount of effort required by a brute-force attack to crack a password based on it's entropy.

Score

Guesses (min)

Entropy (min)

Time to Guess Password (min)

(online, 10 guesses per second)

Time to Guess Password (min)

(offline, 10,000 guesses per second)

Weak

1 million

20 bits

27 hours

1.5 minutes

Good

100 million

26 bits

3 months

2.5 hours

Very Strong

10 billion

33 bits

32 years

11 days

For the online brute-force attack, you can see how dramatically strong passwords improve the security of your system. Very strong passwords take decades to crack, while the weak password is discovered in a matter of hours. If the password belongs to an account that gives the hacker access to your database, they can analyze it offline in a shorter amount of time.

A single weak password can open the door to unauthorized access. When you set higher requirements for passwords, this door is shut.

Guidelines for Creating Strong Passwords

YouTrack users can increase the strength of their passwords by following these guidelines:

  • Create a password that consists of more than one word.

    Capitalization and character substitution don't make it harder to guess a password that is based on a single word that can be found in a dictionary. You can greatly increase the entropy of a password by using a string of unrelated words in an unexpected order, even without using special characters.

    When you add another word to a password that is already very strong, it can take centuries to guess.

  • Add a few unpredictable substitutions to make words less recognizable, or insert a special character in the middle of the word. Change the order of the words to avoid a logical pattern.

  • Include lowercase and uppercase alphabetic characters, numbers, and symbols strategically. For example, you can capitalize every fourth letter in your passphrase instead of the first letter of each word.

  • Use a minimum of 12 to 14 characters.

  • Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences, usernames, names of relatives or pets, and biographical information.

  • Avoid using information that is associated with the user of an account, for example, a birthday or anniversary.

When users set or change a password in YouTrack, the password is compared to and weighed against a database of over 30,000 common passwords, names, surnames, and popular English words. If the password contains any of these, or includes any of the problems described here, YouTrack identifies the problem and provides guidelines for creating a stronger password.

YouTrack uses the realist password strength estimation developed by zxcvbn to measure the strength of a password. You can read more about it in the related article.

Instructions

You can set a password policy for the Hub authentication module that determines the minimum password strength required for user accounts.

To set a password policy:

  1. From the Administration menu, select Access Management > Auth Modules.

  2. Select the Hub authentication module.

  3. From the Password Strength drop-down list, select one of the following options:

    Hub auth module password strength setting

    Option

    Description

    No Policy

    Users can enter any password.

    Weak

    Passwords must have a minimum entropy of 20-26 bits.

    Good

    Passwords must have a minimum entropy of 26-33 bits.

    Very Strong

    Passwords must have an entropy greater than 33 bits.

    That's it! The selected policy is enforced every time a user creates or changes a password for their YouTrack account. Users whose existing passwords do not conform to the new policy are asked to change their password when they log in.

Last modified: 21 April 2023