Password

At Quasr we do believe in a passwordless future as we feel passwords are impractical for users and have various security challenges. Nonetheless we do offer a password factor as we understand our customers may still need it for the time being. Though we want to challenge our customers to think and plan for a passwordless future. Hence users can enroll in various factors allowing passwords to be phased out over time without implications.

Definition and Default Configuration

The password is a knowledge-based authentication factor and requires input by the user. NIST categorizes it a “Memorized Secret”, which is defined as:

A Memorized Secret authenticator — commonly referred to as a password or, if numeric, a PIN — is a secret value intended to be chosen and memorized by the user. Memorized secrets need to be of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value. A memorized secret is something you know.

The password is a non-unique factor, meaning that it’s possible that multiple users pick the same password by coincidence. A password requires an additional identifier upfront to be used for authentication (such as a username).

Default Password Policy

Quasr follows a best-practice implementation according to OWASP and NIST recommendations (as minimum) with a default password policy of:

• minimum 15 characters length

• maximum 100 characters length

• no password expiration / no required password change

Passwords are case-sensitive.

The default maximum failed attempts before the factor gets temporarily disabled is 5. The factor will auto-unlock after 300 seconds (5 minutes). The counter resets to 0 on each successful login.

Passwords are stored hashed (Argon2id).

User Interface (UI) Example

Below is a sample screenshot to give an idea of a potential login / registration page asking for a OTP factor. It's just an example, as Quasr does not currently offer a hosted login page.

On a registration page, the password input field is usually represented by a single-line text field, often combined with an additional password confirmation fields (matching of password and confirmation to be checked client-side) to avoid typos.

On a login page, the password input field is usually represented by a single-line password field, which by default hides the input, but allows to toggle its visibility and also allows for copy/pasting values into it (i.e. from a password manager).

Signup

To enroll a password factor, the actual password (input parameter) and optionally a label (label parameter) is provided.

Signup with password factor

POST https://{tenant_id}.api.quasr.io/factors/signup

Request Body

{
  "result": "SUCCESS",
  "feedback": {
    "cause": "",
    "enrollment_id": "<enrollment id>",
    "generated_input": "<generated_input>" // in case input is not provided
  },
}

{
  "result": "SUCCESS",
  "feedback": {
    "cause": "",
    "enrollment_id": "<enrollment id>",
    "generated_input": "<generated_input>" // in case input is not provided
  },
  "session_token": "<session_token>",
  "account_id": "<account_id>",
  "session_score": <session_score>,
  "session_exp": <session_expiration> // epoch in seconds (not ms)
}

Login

To validate a password factor, the actual password (input parameter) is provided.

Login with password factor

POST https://{tenant_id}.api.quasr.io/factors/login

Request Body

{
  "result": "FAILED",
  "feedback": {
    "cause": "INCORRECT_INPUT",
  }
}

{
  "result": "SUCCESS",
  "feedback": {
    "cause": "",
    "enrollment_id": "<enrollment_id>"
  },
  "session_token": "<session_token>",
  "account_id": "<account_id>",
  "session_score": <session_score>,
  "session_exp": <session_expiration> // epoch in seconds (not ms)
}

Factor Creation & Configuration

A Password factor is already available for all newly created tenants by default, however, if you want to add additional password factors, you can do so via Tenant Administration UI or Admin API.

The Password Factor allows for the following parameters and config options:

The following API sample calls create an Password factor labelled "Another Password" with a score of 2.

GraphQL Example

// GraphQL Query (Sample)
mutation createFactor ($input: CreateFactorInput!) {
    createFactor (input: $input) {
        id
    }
}

// GraphQL Variables (Sample)
{
  "input": {
    "subtype": "secret:password",
    "label": "Another Password",
    "status": "ENABLED",
    "score": 2
  }
}

// Response (Sample)
{
    "data": {
        "createFactor": {
            "id": "8bde5565-7027-4232-8db8-3f3ca1acaeac"
        }
    }
}

Node.js Example

var axios = require('axios');
var data = JSON.stringify({
  query: `mutation createFactor ($input: CreateFactorInput!) {
    createFactor (input: $input) {
        id
    }
}`,
  variables: {
    "input": {
      "subtype": "secret:password",
      "label": "Another Password",
      "status": "ENABLED",
      "score": 2
    }
  }
});

var config = {
  method: 'post',
  url: 'https://{tenant_id}.api.quasr.io/graphql',
  headers: { 
    'Authorization': 'Bearer {access_token}', 
    'Content-Type': 'application/json'
  },
  data : data
};

axios(config)
.then(function (response) {
  console.log(JSON.stringify(response.data));
})
.catch(function (error) {
  console.log(error);
});

Recommended Password Managers

Passwords should be long and complex, which makes them hard or impossible to remember. The use of a password manager is recommended to keep them safe. Here is a list of password managers that we can recommend (Quasr has no affiliation with these vendors).

• KeepassXC (Open Source)

• Bitwarden (Open Source)

• 1Password

• Lastpass

• Google Password Manager

Additional Resources

• OWASP Password Storage Recommendation

• NIST Password Recommendations

• Summary of 2021 NIST Password Recommendations