Feature #3155


Password policy and secure logon procedure

Added by Vidal Arpin about 15 years ago. Updated over 9 years ago.

Accounts / authentication
Target version:
Start date:
Due date:
% Done:


Estimated time:



It would be nice if higher authentication security could be integrated in Redmine. I'd like to submit the following recommandations :

Password policy
  1. use of both upper- and lower-case letters (case sensitivity);
  2. inclusion of one or more numerical digits;
  3. inclusion of special characters configuration choice;
  4. free of consecutive identical (configurable), all-numeric or all-alphabetic characters;
  5. change passwords at regular intervals (configurable) or based on the number of accesses (configurable); passwords for privileged accounts should be changed more frequently than normal passwords (configurable);
  6. avoid re-using or cycling old passwords (configurable);
  7. when users are required to maintain their own passwords, they should be provided initially with a secure temporary password;
  8. change temporary passwords at the first log-on;
  9. temporary passwords should be given to users in a secure manner; the use of third parties or unprotected (clear text) electronic mail messages should be avoided;
  10. temporary passwords should be unique to an individual and should not be guessable;
Secure logon procedure
  1. don't display system or application identifiers until the log-on process has been successfully completed (configurable);
  2. display a general notice warning that the computer should only be accessed by authorized users (Configurable as a choice and for the message to display);
  3. don't provide help messages during the log-on procedure that would aid an unauthorized user;
  4. validate the log-on information only on completion of all input data. If an error condition arises, the system should not indicate which part of the data is correct or incorrect;
  5. limit the number of unsuccessful log-on attempts allowed, e.g. to three attempts (configurable with 0 = unlimited);
  6. record unsuccessful and successful attempts;
  7. force a time delay before further log-on attempts are allowed (configurable and exponential);
  8. send an alarm message if the maximum number of log-on attempts is reached (configurable with email addresses);
  9. display the following information on completion of a successful log-on:
    1. date and time of the previous successful log-on;
    2. details of any unsuccessful log-on attempts since the last successful log-on;
  10. don't display the password being entered or consider hiding the password characters by symbols;
  11. don't transmit passwords in clear text over a network.
If I'm not mistaken, the following are already integrated in Redmine from the items I listed above :
  • Password policy items 1,2,3,7,8,9 and 10
  • Secure logon procedure items 3,4,10 and 11

Thank you for considering these features!


cracklib.diff (1.46 KB) cracklib.diff Robert Millan, 2011-11-30 20:07

Related issues

Related to Redmine - Feature #3096: Lock accounts after X failed attemptsNew2009-04-01

Related to Redmine - Feature #19458: Add the ability to expire passwords after a configurable number of daysClosedJean-Philippe Lang

Related to Redmine - Feature #4221: Force passwords to contain specified character classesClosedGo MAEDA2009-11-16

Has duplicate Redmine - Feature #12182: improvement password security for internal authenticationClosed


Also available in: Atom PDF