Minimum password length
The minimum password length for the Limawi password policy is 14 characters. This length is set to ensure a minimum of entropy.
Entropy (zxcvbn library)
The strength of the password is calculated by the entropy needed to break it in brute force.
This entropy is then evaluated on 5 scores.
These scores are composed of “Very Weak, Weak, Good, Strong, Very Strong”.
The score needed for the server to accept the password is at least “Good”.
The password is also checked against a list of forbidden keywords.
These keywords are the most used passwords in the world, they are very likely tested by an attacker.
The current forbidden keywords list is the one currently loaded with the zxcvbn library.
The passwords used on the Limawi servers have to observe the following rules:
- Length of the password higher than 14 characters
- Entropy tested by the server higher or same as “Good”
- The password doesn’t include forbidden keywords as those of the internal zxcvbn list
Set up the TOTP authentication application
To activate the two-factor authentication, go on the Limawi site to “Your profile”, “Security”, “two-factor Authentication”.
Click on the button “Set up application”. Type your password and validate.
From the resulting page, get the QRCode, or the text code, and put it into the two-factor authentication app on your device.
To verify the settings, enter the code your device app gives in the “Application verification code” field and press “Verify and save” before this code expiration (visible in the device app).
The site should answer by giving the recovery codes page.
Get recovery codes
Keep carefully these recovery codes by printing or writing down all the recovery codes you find in this page. You also may use a password wallet for that (be careful on the application you choose for that). Each code is a single use code. These recovery codes should be usable in emergency rescue if your device is not available.
Once these codes carefully stored, press “Save”.
Your two-factor authentication is set.
Connexion with two-factor authentication
Fill the connexion form with your email and password and submit.
A new page appears asking for the two-factor authentication token.
If your device is available, use your device app to get the code and enter it in the field, then press “Verify”.
You are now connected.
If your device is not available, press “Can’t access your account?” and fill the resulting field with one of your recovery codes and press “Verify”.
You are now connected.
If you use a recovery code, it cannot be used anymore. If you used all your recovery codes, you should regenerate a new list by going to “Your profile”, “Security”, “two-factor Authentication” and press “Get new recovery codes”. Don’t forget to keep theses codes carefully.
Create your secure network