Skip to content

Update password procedure account lockout policy

Dan Eckhardt requested to merge password-policy-lockout-update into master

Why is this change being made?

As the policy is currently written, it is a requirement that all systems must have a lockout enforced after 10 failed logins. Many systems will not meet this requirement or will have lockout but at a higher number than 10 and in most cases, password configurations will not be able to be modified by GitLab as they will be 3rd party SaaS systems. This results in un-necessary password observations in controls testing and password exception requests when there is no change that can be made to the configuration. This change makes it so that the policy states that there needs to be a lockout after 10 failed attempts, but that if the system does not allow it, lockout should be set to the minimum amount of attempts that the system allows.

Additionally, updated another bullet point of the policy that stated that failed login information must be logged within the system. To state this makes it seem that any system that is not logging details as stated in the policy is in violation. Changed wording so there is more leeway with what is logged.

Author Checklist

  • Provided a concise title for this Merge Request (MR)
  • Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
    • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added.
  • Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
    • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
    • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
  • If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR
    • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.
Edited by Dan Eckhardt

Merge request reports