Feature #4221

Enforcing Strong Password for Users

Added by jim joseph almost 10 years ago. Updated 10 days ago.

Status:NewStart date:2009-11-16
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:Candidate for next major release
Resolution:

Description

I would like to enforce strong password for users in redmine. As if now redmine will accept any four letter password. Is there a way that applicaton checks how strong a password is when a new user register in it.

Can we implement any password generator with redmine?

enforce-password-char-types.patch Magnifier (7.98 KB) Takenori TAKAKI, 2019-08-02 09:19


Related issues

Related to Redmine - Feature #3872: New user password - better functionality Closed 2009-09-15
Related to Redmine - Feature #3155: Password policy and secure logon procedure New 2009-04-10
Duplicated by Redmine - Feature #25054: Enforcing Strong Password in Redmine Closed

History

#1 Updated by Jean-Philippe Lang almost 10 years ago

As of r2678, you can specify the minimum password length in settings.
But a minimum password strength setting could be also added (eg. Fair, Strong, Very strong) using kind of password strengh meter.

#2 Updated by Jean-Philippe Lang over 9 years ago

  • Category set to Accounts / authentication

#3 Updated by Henrik Ammer over 9 years ago

Jean-Philippe Lang wrote:

But a minimum password strength setting could be also added (eg. Fair, Strong, Very strong) using kind of password strengh meter.

I would love to see this!

#4 Updated by Samuel Suther about 6 years ago

*1

#5 Updated by @ go2null about 6 years ago

Can we implement any password generator with redmine?

  • Implemented in v2.4.0 - Feature #3872 New user password - better functionality

#6 Updated by Toshi MARUYAMA about 6 years ago

  • Related to Feature #3872: New user password - better functionality added

#7 Updated by Simon O over 5 years ago

1
The new feature implemented in 2.4.0
+ referring to Feature #3872 includes a secured password generator.
However, if users may change their password at first login, they may pick "aaaaaaaa" which is far away from being secure. Thus, I also recommend to add a kind of password security check as suggested by jim joseph.
Please reopen ticket.
Thanks a lot!

#8 Updated by Aleksandar Pavic over 3 years ago

+1

There are some recent efforts as I can see.

https://github.com/simonswine/redmine_password_tool
https://github.com/go2null/redmine_account_policy

But this should be a core system feature, it is a must for enterprise use.

#9 Updated by Toshi MARUYAMA over 2 years ago

  • Duplicated by Feature #25054: Enforcing Strong Password in Redmine added

#10 Updated by Go MAEDA 4 months ago

  • Related to Feature #3155: Password policy and secure logon procedure added

#11 Updated by Takenori TAKAKI 15 days ago

+
If we can enforce password strength, Redmine will be used in environments where some security policy is required.
I post a patch, as I implemented the following features:
  • Enable to setting password strength in admin settings
  • Enable to selecting the enforce character types (Uppercase, Lowercase, Digits, Special characters).
  • Validation for each enforce character types

#12 Updated by Go MAEDA 10 days ago

  • Priority changed from High to Normal
  • Target version set to Candidate for next major release

#13 Updated by Go MAEDA 10 days ago

I think the validation in enforce-password-char-types.patch should cover all ASCII special characters, such as '(', ')', '+', '-', and '_'. The following code does that.

diff --git a/app/models/setting.rb b/app/models/setting.rb
index b18f8ed89..4171fa04e 100644
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -19,6 +19,13 @@

 class Setting < ActiveRecord::Base

+  PASSWORD_REQUIRED_CHARACTER_CLASSES = {
+        'uppercase'          => /[A-Z]/,
+        'lowercase'          => /[a-z]/,
+        'digits'             => /[0-9]/,
+        'special_characters' => /[[:ascii:]&&[:graph:]&&[:^alnum:]]/
+    }
+
   DATE_FORMATS = [
         '%Y-%m-%d',
         '%d/%m/%Y',

Also available in: Atom PDF