Provide a Resource Manager Template Function that generates a cryptographically strong password
When one designs systems with the assumption that it would be breached at some time in the future, sharing passwords between services (IaaS or PaaS) isn’t recommended. If a password for one service is discovered by a malicious agent, it could be used to compromise other parts of the system. As such, its best to ensure each service (PaaS or IaaS) has its own unique cryptographically strong password.
Having a unique password per service also allows for easier password rotation (through Scipts, DSC and other configuration management systems).
As the number of systems (PaaS or IaaS) increases, we don’t want to be in the business of humans picking passwords as this doesn’t scale.
It would be advantageous if there was an Resource Manager Template Function that would generate a cryptography strong password according to some recipe. The recipe allows the password to be tailored according to organization requirements. For example, it can contain the following ingredients:
- Number of Digits
- Number of Symbols
- Avoid Ambiguous Characters (e.g. I, L and 1, S and 5, U and V)
- Allow Characters to Repeat
- Safe Password
If no recipe is specified, generate a password of at least 32 characters, at least 8 symbols and letters.
The expectation is that I can use this function in an ARM template to generate a password and save that password in KeyVault for later retrieval by a human if it is required (most of the time its not).
When the ARM template is executed again, the function will generate a new cryptographically strong password which cannot be derived from any property within Azure, including the subscription, tenant, resource group or resource.
Christian Wuerdig commented
This has been "Under Review" for a year - any resolution in sight?