AWS wickr documentation change
Summary
Added documentation for password rotation feature and password requirements for the data retention bot, including environment variable configuration and validation rules.
Security assessment
The change adds documentation for a password rotation feature that allows programmatic password updates with validation requirements (minimum 12 characters, must differ from current password). This enhances security by enabling regular password rotation and enforcing strong password policies, but there's no evidence of addressing a specific security vulnerability.
Diff
diff --git a/wickr/latest/adminguide/data-retention-password.md b/wickr/latest/adminguide/data-retention-password.md index 2296d2275..834599fa1 100644 --- a//wickr/latest/adminguide/data-retention-password.md +++ b//wickr/latest/adminguide/data-retention-password.md @@ -6,0 +7,2 @@ +Password rotationUsagePassword requirements + @@ -22 +24,24 @@ The first time you start the data retention bot, you specify the initial passwor -A new password will be generated when you configure the data retention bot for the first time. If you need to re-install the data retention bot, you use the generated password. The initial password is not valid after the initial installation of the data retention bot. +A new password will be generated when you configure the data retention bot for the first time. If you need to re-install the data retention bot, you use the generated password. The initial password is not valid after the initial installation of the data retention bot. You can rotate the generated password. To rotate the generated password, use the guidance provided in the following sections. + +## Password rotation + +The data retention bot (minimum version 6.66.01.00) can roate its Wickr account password programmatically at startup by setting the WICKRIO_ROTATE_PASSWORD environment variable. + +## Usage + +Set the environment variable WICKRIO_ROTATE_PASSWORD when starting the bot with docker run: + +`-e WICKRIO_ROTATE_PASSWORD="`new_password`" ` + +On startup, after the bot successfully logs in with its current password (from WICKRIO_BOT_PASSWORD or AWS Secrets Manager), it does the following: + + 1. Read WICKRIO_ROTATE_PASSWORD from the process environment. + + 2. Validate the new password (minimum 12 characters, must differ from current password). + + 3. Call the AWS Wickr service to rotate the password. + + + + +After a successful rotation, update WICKRIO_BOT_PASSWORD (or the secret in AWS Secrets Manager) to the new password before the next restart. @@ -37,0 +63,11 @@ Save the password in a safe place. If you lose the password you will not be able +## Password requirements + + * New password must be at least 12 characters. + + * New password must differ from the current password. + + * Bot must be able to log in with the current password first. + + + +