Need to know how password generating logic works in CPAM for audit purpose. To give more idea, we need confirmation that any password generated via CPAM should be compared with all active checked-out account's password and made sure the password generated is unique & not a duplicate of other password.
Also, would need to know the Algorithm used for encrypting password in CPAM's vault
Solved! Go to Solution.
@Narendrapranaam Thanks for posting your question. Passwords are generated randomly using the password policy definitions and the probability of having duplicates is very low and the longer the pwd is, the rarer the chances are for duplicates. Additionally, the checked out passwords are not stored anywhere (for security reasons) so a comparison is not possible here. Can you elaborate your requirement/use case further so that we can review and see if the potentical concerns/impacts can be handled in other ways?
And we use SHA2 for encryption.
Thanks for your reply @NageshK , to elaborate much on the requirement. There was an ask from our Client security team to confirm if this tool compares the password with all current password shared with Active accounts with active reservation slot/Password slot and generate password so there is no repeated password for any active accounts having active reservation slots. As you mentioned, since we dont have a repository where we can compare all password to confirm its uniqueness thought of checking here.
Also, since the copy of password is stored to CPAM's Vault, is there a testing you did in such a way extracting the secrets from vault to confirm if its not unique. If nothing works as mentioned, we've breakglass instance creation and extracting secrets, have you ever seen same password generated for multiple accounts?
@Narendrapranaam The probabilities of duplicates are so low. Imagine that you are generating a 12 char password from the list of [A-Za-z0-9], the total possibilities of combinations are 62 (26 upper case + 26 lower case + 10 numbers) to the power of 12. This is equivalent to 3,226,266,762,397,899,821,056 combinations. And we have not even considered special characters in the list of characters. Getting a duplicate from this will be a rare occurrence.
Do you have any business case that is impacted in the rare event of having a duplicate? Even in that rare scenario, it has to be the same person checking out credentials for both accounts and that too at the same time as we rotate the credentials after every checkout.