Thursday, January 15, 2009 at 11:32 AM
Helping businesses, schools and organizations keep information safe is critical, and we've been providing Google Apps customers with a spectrum of capabilities to help ensure that only authorized users have access to information accessible from the cloud, including SSL options, single sign-on capabilities, and administrative controls for how widely users can share and publish information from Google Docs, Google Sites and Google Calendar.Today we're adding a new layer of security: the ability for administrators to set password length requirements and view password strength indicators to identify sufficiently long passwords that may still not be strong enough.
What's more, because the Google Account authentication system continuously sees new variations of password attacks from around the world, we can assess password strength in real-time and help administrators spot passwords that were relatively secure in the past that are more vulnerable to the latest patterns of attacks.
Premier and Education Edition administrators can access these features from the administrative control panel under 'Advanced Tools' > 'Advanced Password Settings'.
To help their users choose strong passwords, admins can share our password selection tips.
Posts
11 comments:
Does this mean that Google stores users' passwords as plaintext? No salted hashing, or any other form of encryption?
If not, how do you know the length and strength of previously entered passwords? Of course it's possible that you store these when the password is first entered, but this is not very likely.
What are the consequences of forgetting to sign out of igoogle before closing
This comment comes from Eran Feigenbaum, Director of Security, Google Apps:
"Onestone, that's an astute observation. Yes, we store the customary salted hash. Recently, we've also started storing the length and strength in order to provide this admin display. As you note, we can only do that for users who have logged in since we started the new system."
Close but you miss on one critical need!
Allow admins to force use of a combination of alpha and numeric chars.
@Ellen, Eran: Thanks for taking the time to explain that.
Thanks for this feature....
Perhaps in addition to 'minimum password length', you could add 'minimum password strength' as an option...
This would drastically improve password security.
Thanks
Good feature for Admins. By any chance will their be a setting for each user account to expire/suspend after a specific date? Quite useful for contract employees and "the admin" gets a breather from manually suspending accounts.
I am disappointed that such an essential security feature is withheld from basic edition as it related to compromising the entire setup. Please reconsider adding it. Strong passwords is not really an additional feature but simply common sense. Thanks.
I would also like to see this feature in the basic edition as it is a feature that everyone should have... like water for people... which you can't deny someone of.
Password expiration interval and complex password enforcement is needed.
+1 for forcing strong password in basic account.
Post a Comment
Thank you for sharing your feedback with the team at Google Enterprise. We will respond to open issues addressed in Comments with future posts on this blog. We appreciate your interest in Google Enterprise.