Skip to main content

User Passphrase Policies

How to configure User Passphrase Policies

Since version 4.3.0, Passbolt Pro Edition supports User Passphrase Policies.

Password Policies administration
fig. Password Policies administration

How does it work?

User Passphrase Policies allows administrators to configure minimal strength requirements for the users’ private key passphrase. When defining a new passphrase, users have to find a passphrase that matches these policies.

Also, it allows to choose rather or not if a user’s passphrase should be check against an external service to know if it has been leaked or not.

How to configure the plugin?

The plugin is enabled by default and since the version 4.3.0 of the browser extension, Passbolt uses this new User Passphrase Policies feature in all concerned UI. To configure it though, you need to go the administration of your Passbolt instance and then go to the “User Passphrase Policies” section.

At this stage, you can see 2 configurable sections:

  • User passphrase minimal entropy
  • External password dictionary check

User passphrase minimal entropy

This section allows administrators to choose among a preset of minimal entropy a user’s private key passphrase needs to match. It concerns only the passphrase of the users’ private key and not the secret generated for the creation of a new password for instance (to change the secret generation behaviour, please refer to the Password Policies configuration page).

As a consequence when a user has to define a passphrase, it will be required that the passphrase strength matches the minimal entropy set. In other words the strength of the passphrase will have to fit the requirements when:

  • a user is changing its private key passphrase
  • a user is defining a new passphrase during the account recovery process
  • a user is defining a passphrase during the creation of its Passbolt account

Notice that on some cases, passphrases does not have to match this requirements but instead the minimal entropy is shown as a recommendation. It’s the case when users import an already existing GPG private key, so when:

  • a user is recovering its account using its recovery kit
  • a user is creating a new account and imports its own encrypted GPG key