https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292009-04-10T21:51:04ZRedmineRedmine - Feature #3155: Password policy and secure logon procedurehttps://www.redmine.org/issues/3155?journal_id=86002009-04-10T21:51:04ZVidal Arpin
<ul></ul><p>The following items from the password policy should read:</p>
<p>2. inclusion (configurable to force or not) of one or more numerical digits (configurable);<br />3. inclusion of special characters configuration choice (configurable to force or not);</p> Redmine - Feature #3155: Password policy and secure logon procedurehttps://www.redmine.org/issues/3155?journal_id=268452011-03-23T09:50:59ZToshi MARUYAMA
<ul><li><strong>Category</strong> set to <i>Accounts / authentication</i></li></ul> Redmine - Feature #3155: Password policy and secure logon procedurehttps://www.redmine.org/issues/3155?journal_id=317732011-08-25T17:28:49Zkhasha roholahi
<ul><li><strong>Assignee</strong> set to <i>Toshi MARUYAMA</i></li></ul><p>Hi,</p>
<p>It doesn't look like this feature has been implemented yet, it would be very useful for us as well to have what Vidal was asking for. Can someone work on this?</p> Redmine - Feature #3155: Password policy and secure logon procedurehttps://www.redmine.org/issues/3155?journal_id=317922011-08-26T02:58:38ZToshi MARUYAMA
<ul><li><strong>Assignee</strong> deleted (<del><i>Toshi MARUYAMA</i></del>)</li></ul> Redmine - Feature #3155: Password policy and secure logon procedurehttps://www.redmine.org/issues/3155?journal_id=343472011-11-30T19:07:16ZRobert Millan
<ul><li><strong>File</strong> <a href="/attachments/6837">cracklib.diff</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/6837/cracklib.diff">cracklib.diff</a> added</li></ul><p>Hi,</p>
<p>I added cracklib support to Redmine. This doesn't address all your concerns with password policy, but at least some of them.</p>
<p>I figure you might find it helpful.</p> Redmine - Feature #3155: Password policy and secure logon procedurehttps://www.redmine.org/issues/3155?journal_id=350562011-12-28T23:31:26ZPaul Liao
<ul></ul><p>Hi Robert,</p>
<p>I've added your changes to my test redmine and I received an error when I restarted my apache</p>
<pre>
no such file to load -- password (MissingSourceFile)
Exception class:
</pre>
<p>My version of redmine is 1.2.3.</p>
<p>What exactly does your code do? Does it check the length of the password?</p> Redmine - Feature #3155: Password policy and secure logon procedurehttps://www.redmine.org/issues/3155?journal_id=610032015-01-20T23:59:32Z@ go2null
<ul></ul><p>I've created a plugin that implements Password Expiry and Lock Unused Account functionality.</p>
<p><em>It is alpha quality, so use at your own risk. Further, this is my first plugin, so even alpha is more advanced that it may be :-)</em></p>
<p>Would be great to receive pull request on GitHub.</p>
<p><a class="external" href="https://github.com/go2null/redmine_account_policy">https://github.com/go2null/redmine_account_policy</a></p>
<p>The intent is to add more functionality to implement User Account rules.</p>
Here's a summary of the current (v2.6.0) status of the asks in the Description.<br /><strong>Password policy</strong>
<ol>
<li> use of both upper- and lower-case letters (case sensitivity);
<ol>
<li>Plan to include in plugin</li>
</ol>
</li>
<li> inclusion of one or more numerical digits;
<ol>
<li>Plan to include in plugin</li>
</ol>
</li>
<li> inclusion of special characters configuration choice;
<ol>
<li>Plan to include in plugin</li>
</ol>
</li>
<li> free of consecutive identical (configurable), all-numeric or all-alphabetic characters;
<ol>
<li>Plan to include in plugin</li>
</ol>
</li>
<li> change passwords at regular intervals (configurable) or based on the number of accesses (configurable); passwords for privileged accounts should be changed more frequently than normal passwords (configurable);
<ol>
<li><em>change passwords at regular intervals (configurable)</em> is implemented in plugin as <strong>Password Expiry</strong>.</li>
</ol>
</li>
<li> avoid re-using or cycling old passwords (configurable);
<ol>
<li>Redmine includes check against last password (i.e., prevent_reuse = 1)</li>
<li>Plan to include in plugin</li>
</ol>
</li>
<li> when users are required to maintain their own passwords, they should be provided initially with a secure temporary password;
<ol>
<li>Redmine implements this as <strong>Generate password</strong></li>
</ol>
</li>
<li> change temporary passwords at the first log-on;
<ol>
<li>Redmine implements this as <strong>Must change password at next logon</strong></li>
</ol>
</li>
<li> temporary passwords should be given to users in a secure manner; the use of third parties or unprotected (clear text) electronic mail messages should be avoided;</li>
<li> temporary passwords should be unique to an individual and should not be guessable;
<ol>
<li>Redmine implements this as <strong>Generate password</strong></li>
</ol></li>
</ol>
<strong>Secure logon procedure</strong>
<ol>
<li> don't display system or application identifiers until the log-on process has been successfully completed (configurable);
<ol>
<li>Already implemented in Redmine</li>
</ol>
</li>
<li> display a general notice warning that the computer should only be accessed by authorized users (Configurable as a choice and for the message to display);</li>
<li> don't provide help messages during the log-on procedure that would aid an unauthorized user;
<ol>
<li>Already implemented in Redmine</li>
</ol>
</li>
<li> validate the log-on information only on completion of all input data. If an error condition arises, the system should not indicate which part of the data is correct or incorrect;
<ol>
<li>Already implemented in Redmine</li>
</ol>
</li>
<li> limit the number of unsuccessful log-on attempts allowed, e.g. to three attempts (configurable with 0 = unlimited);
<ol>
<li>Plan to include in plugin</li>
</ol>
</li>
<li> record unsuccessful and successful attempts;</li>
<li> force a time delay before further log-on attempts are allowed (configurable and exponential);
<ol>
<li>Plan to include in plugin</li>
</ol>
</li>
<li> send an alarm message if the maximum number of log-on attempts is reached (configurable with email addresses);</li>
<li> display the following information on completion of a successful log-on:
<ol>
<li> date and time of the previous successful log-on;</li>
<li> details of any unsuccessful log-on attempts since the last successful log-on;</li>
</ol>
</li>
<li> don't display the password being entered or consider hiding the password characters by symbols;
<ol>
<li>Already implemented in Redmine</li>
</ol>
</li>
<li> don't transmit passwords in clear text over a network.</li>
</ol> Redmine - Feature #3155: Password policy and secure logon procedurehttps://www.redmine.org/issues/3155?journal_id=610102015-01-21T05:46:58ZMischa The Evil
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-1 priority-5 priority-high2" href="/issues/3096">Feature #3096</a>: Lock accounts after X failed attempts</i> added</li></ul> Redmine - Feature #3155: Password policy and secure logon procedurehttps://www.redmine.org/issues/3155?journal_id=610122015-01-21T05:47:41ZMischa The Evil
<ul><li><strong>Has duplicate</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/12182">Feature #12182</a>: improvement password security for internal authentication</i> added</li></ul> Redmine - Feature #3155: Password policy and secure logon procedurehttps://www.redmine.org/issues/3155?journal_id=624872015-03-24T00:00:44ZGo MAEDA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/19458">Feature #19458</a>: Add the ability to expire passwords after a configurable number of days</i> added</li></ul> Redmine - Feature #3155: Password policy and secure logon procedurehttps://www.redmine.org/issues/3155?journal_id=913302019-04-24T02:19:54ZGo MAEDA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/4221">Feature #4221</a>: Force passwords to contain specified character classes</i> added</li></ul>