0

At my organization, we have a process that synchronizes user password changes with Google. We recently transitioned this process from the Provisioning API to the Admin SDK Directory API. In doing so, however, we started receiving error responses for a small number of password changes and, upon investigating, we determined that our internal support staff is responding to password reset requests from users by setting temporary passwords that do not meet the password length requirements defined in our Google domain. Clearly, we have some process changes to make internally.

These errors only appeared after the switch to the Admin SDK Directory API, which brings me to my question. Is there a difference in how the two APIs enforce password length requirements defined in the domain? More specifically, did the Provisioning API not enforce those requirements?

Chris L
  • 1
  • 1
  • I've not heard of any change in the password length requirements due to the API changes, they've been working concurrently for some time now. It may be due to the API you're using (if you are). Just a thought, if you use the 'Try It!' feature on [the Users Patch documentation page](https://developers.google.com/admin-sdk/directory/v1/reference/users/patch) with one of the passwords that is failing, does it still fail? – squid808 Apr 22 '15 at 12:28

1 Answers1

0

I'm not aware of any changes in password length requirements/enforcement between Provisioning API and Directory API. Having said that, if your client sends the password hashed with MD5, SHA-1 or crypt, then Google's servers will not be able to determine the actual password and thus, can't confirm it meets the length requirement. I recommend sending the password as a salted crypt hash. These are easy enough to generate on Linux or Mac OS command line:

$ echo 1234 | mkpasswd -s -m SHA-512
$6$/LHr6nGP$sqS21G30MNh/NAaNHuVitvk/ld3b8u5Ky8N7Rbs.5eptnETaPlV9hUk8mAOJdQ2KHacdJ5OGMRKD2ZXBuINyN1

So a users.patch() request body that looks like:

{
  "hashFunction": "crypt",
  "password": "$6$/LHr6nGP$sqS21G30MNh/NAaNHuVitvk/ld3b8u5Ky8N7Rbs.5eptnETaPlV9hUk8mAOJdQ2KHacdJ5OGMRKD2ZXBuINyN1"
}

would set the user's password to 1234. The password will work for the user because Google can't determine the length or strength when you set the password.

Of course, as you pointed out above, you really should be enforcing minimal password length (not to mention strength).

To generate the hash, you can use the passlib library:

from passlib.handlers.sha2_crypt import sha512_crypt
hashed_password = sha512_crypt.encrypt(password)
Jay Lee
  • 13,415
  • 3
  • 28
  • 59