Understanding Subversion authentication mode settings

Applies to: VisualSVN Server 5.0 and later

VisualSVN Server supports Subversion and Windows authentication modes. This article describes VisualSVN Server settings related to the Subversion authentication mode. These settings can be found on the Authentication tab in the VisualSVN Server Properties dialog.

To learn more about Subversion and Windows authentication modes and the differences between them, see the KB182: VisualSVN Server authentication modes article. It also provides instructions on how to change the authentication mode.

Password policy

When using Subversion authentication mode, it is recommended to use a strong password policy. The following settings allow you to enforce password policy requirements.

Minimum password length

The Minimum password length option specifies the minimum number of characters that must be in a password. It can be set to any number greater than zero. The default minimum password length is 8.

Require complex passwords

When the Require complex passwords checkbox is selected, passwords must contain characters from at least three of the following categories:

Uppercase letters (A through Z).
Lowercase letters (a through z).
Digits (0 through 9).
Special characters (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/).

Note

Passwords in VisualSVN Server can only contain ASCII characters. This prevents errors that can occur during basic HTTP authentication, where the encoding of non-ASCII characters varies between different clients.

For details on how this password policy is enforced, see the article KB179: Understanding the password policy for Subversion authentication.

Password guessing attack protection

Available since VisualSVN Server 5.2

Password guessing attack protection is a countermeasure against brute-force and dictionary attacks, which can attempt to discover users' login/authentication credentials for VisualSVN Server by systematically trying out a large number of different username and password combinations. In the Subversion authentication mode, such attacks may eventually discover correct credentials for the dedicated Subversion user accounts.

Note

It is strongly recommended that you enable password guessing attack protection if you are using the Subversion authentication mode.

Block IP addresses after multiple authentication failures

Selecting the Block IP addresses after multiple authentication failures checkbox enables password guessing attack protection. If this checkbox is selected, the server detects if any particular IP addresses send too many authentication requests with invalid login credentials within a short period of time, and temporarily blocks further requests from these offending IP addresses. For more information, see the Further details on the blocking of offending IP addresses section in the article titled KB217: Understanding password guessing attack protection in VisualSVN Server.

Advanced settings for Password guessing attack protection

The Advanced settings provide several adjustable values that fine-tune the protection, such as the maximum allowed number of failed authentication attempts. For details about these settings, see the Advanced settings section in the article titled KB217: Understanding password guessing attack protection in VisualSVN Server.

Allow users to change their passwords in web interface

The Allow users to change their passwords in web interface check box allows or disallows users to change their passwords in the web interface. When the checkbox is selected, the corresponding option becomes available in the Account menu in the web interface.