User GuideAPI Reference
ProductUse CasesResource CenterFAQAbout UsBook a DemoSign Up - It's Free
User Guide
ProductUse CasesResource CenterFAQAbout UsBook a DemoSign Up - It's Free

Password Policy

Suggest Edits

To meet stringent industry regulations such as HITRUST, ISO, SOC 2 Type II, and to ensure our platform qualifies for rigorous penetration tests, we enforce two robust password validation mechanisms: Pattern Validation and Password Strength Validation.

Each regulation has its password policy requirements, and our default settings are deliberately configured with strict parameters to meet all standards. However, we understand that every organization has unique needs. Both validation mechanisms are independent and can be fully customized to align with your organization's security policies.

Below, we provide a detailed explanation of both mechanisms and the options available for customization.

Pattern Validation

Pattern Validation ensures that passwords follow specific rules regarding their structure, such as required character types and length. This feature is powered by regular expressions (regex), a flexible and powerful way to define password formats.

By default, BioT enforces the following password pattern:

  • Minimum length: At least 8 characters.
  • Lowercase letters: Must contain at least one lowercase letter (e.g., "a").
  • Uppercase letters: Must contain at least one uppercase letter (e.g., "A").
  • Digits: Must contain at least one numerical digit (e.g., "1").

The corresponding regular expression for this pattern is:
^(?=.[a-z])(?=.[A-Z])(?=.\d)(?=.[!@#$%^&*()\-=+\[\]{};:'",.<>?/|\\~`]?).{8,}$

Password Strength Validation

Password Strength Validation assesses how resistant a password is to attacks like brute force or dictionary-based hacking attempts. Instead of focusing on specific patterns, this validation considers overall complexity and entropy, encouraging the creation of unpredictable, resilient passwords.
Our platform uses the zxcvbn algorithm for this purpose. This advanced algorithm evaluates passwords by simulating how real-world hackers would attack them. It does so by analyzing:

  • Length and Character Variety: Longer passwords with a mix of characters (letters, numbers, and symbols) generally score higher.
  • Common Patterns: Identifies and penalizes predictable patterns such as repeated characters, sequences ("123", "abc"), or keyboard layouts ("qwerty").
  • Dictionary Matches: Cross-references passwords against a large database of commonly used passwords, names, and phrases.
  • Entropy Estimation: Measures how unpredictable the password is, based on the above factors.

    Scoring

    The zxcvbn algorithm assigns a password strength score on a scale from 0 to 4, based on how difficult it would be for an attacker to guess the password using brute force methods. Here’s a breakdown of the scoring and what it means:
    • 0 - Too Guessable:
      • Description: Extremely weak and risky password.
      • Protection Level: No meaningful protection; not suitable for strength validation.
      • Examples: "12345", "password".
    • 1 - Very Guessable:
      • Description: Password provides minimal protection, sufficient only to deter throttled online attacks.
      • Protection Level: Up to 1 million guesses (10⁶).
      • Examples: "abc123", "qwerty". These should be avoided as they are easily cracked.
    • 2 - Somewhat Guessable:
      • Description: Moderately secure, offering protection against unthrottled online attacks.
      • Protection Level: Up to 100 million guesses (10⁸).
      • Examples: A short password with some complexity, like "Sunshine12".
    • 3 - Safely Unguessable:
      • Description: Password provides moderate protection in offline attack scenarios with slower hash rates.
      • Protection Level: Up to 10 billion guesses (10¹⁰).
      • Examples: A longer password with mixed character types, such as "MySecurePass#12".
    • 4 - Very Unguessable:
      • Description: Highly secure passwords offer strong protection against offline attacks, even in scenarios with slow-hashing algorithms.
      • Protection Level: More than 10 billion guesses (10¹⁰+).
      • Examples: A long and complex password like "T1m3T0G0!H0m3Secure".

    Default Setting

    By default, BioT enforces a strength level of 4 - Very Strong, ensuring compliance with the most stringent regulation.
    This scoring system helps users understand the quality of their passwords and encourages the use of stronger, more secure combinations.

Why Two Validation Mechanisms?

Using both Regex Validation and Password Strength Validation ensures comprehensive password security.

  • Regex Validation enforces adherence to specific compliance requirements, such as the inclusion of character types.
  • Password Strength Validation ensures resilience against evolving attack techniques, focusing on the overall robustness of a password rather than just its format.
    This dual-layered approach helps us meet regulatory standards while protecting your sensitive medical device data against potential security threats.

Customizing Your Password Policies

We understand that organizations may have unique security requirements. The following aspects of password policies—Pattern Validation, Password Strength Validation, and Retry Limit for Password Attempts—can all be tailored to meet your specific needs.
To request customization, please contact our customer support team and provide the following details:

  1. Pattern Validation:
    • The desired pattern (regular expression) to define your password rules.
    • Any custom error messages to guide users when their passwords don't meet the criteria.
  2. Password Strength Validation:
    • The preferred strength level (0 to 4) for evaluating passwords.

Updated about 1 month ago