question

YannMathieu avatar image
0 Votes"
YannMathieu asked YannMathieu commented

APIM Developer Portal weak password

Hello,

The default username and password option for the Developer Portal lack basic security features.
I was able to set 12345678 as my password. Administrators have no way of setting up a better password policy.
A developer portal might contain confidential documentation and give access to Subscription keys.
This is a serious security risk for an Internet-facing web portal.

azure-api-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

PramodValavala-MSFT avatar image
0 Votes"
PramodValavala-MSFT answered YannMathieu commented

@YannMathieu You can improve security by using Azure AD (or Azure AD B2C) for authenticating users to the developer portal as an alternative. If required, you could also have your own authentication server by delegating authentication to it.

Please do feel free to share this feedback on the developer portal repo as well to improve the default username/password security.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I understand alternatives exist however you still offer and support this Username and Password feature. It should not be a big security risk. It could be improved with small changes. The current password creation check for a minimum of 8 characters. You could make that check either configurable or secure enough for the 21st century.
Alternatives have their own limitations.

0 Votes 0 ·