KARL4

Increase password complexity

Bug #1613265 reported by Paul Everitt on 2016-08-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	KARL4	Fix Released	Medium	Carlos de la Guardia	KARL4 023 "2016 Sep"

Bug Description

"accept special characters and long passwords (up to 20 char)"

While we need to get the exact policy from OSF, we can at least describe the improved facility.

I propose to change the password enforcement to be driven by a regex in the conf file. I'm hoping that regular expressions can encode the information needed:

- Min/max length
- Min/max upper/lowercase
- Min/max numbers or symbols

For the implementation, I believe this only affects the change password view. (Does password reset use this same view?)

This task has no other corollary actions, e.g. a one-time forcing of everyone to change their password or to log back in.

Tags:

Paul Everitt (paul-agendaless) on 2016-08-15

tags:

added: auth
removed: gsasync

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2016-08-30:

Let's make sure that none of this data about changing passwords winds up triggering re-indexing of the profile nor a Feed Event.

Paul Everitt (paul-agendaless) on 2016-09-01

Changed in karl4:
milestone:	022 → 023

Revision history for this message

Carlos de la Guardia (cguardia) wrote on 2016-09-27:

Do we have a policy yet?

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2016-09-27:

The password policy it:

- At least 8 characters
- No upper limit
- At least 1 special character
- At least 1 number
- At least 1 capital letter

Nat, can you confirm?

Revision history for this message

Nat Katin-Borland (nborland) wrote on 2016-09-28: RE: [Bug 1613265] Re: Increase password complexity

From Oleg:

Must be at least 8 characters

Then 3 out of 4 of the following:
-At least 1 special character
-At least 1 number
-At least 1 capital letter

Fine to make this change in the software and not as a configurable policy

--
Nathaniel Katin-Borland
Business Analyst | Information Systems
Open Society Foundations | New York | 224 W 57th Street, NY, NY 10019
Office: +1 212-547-6984
<email address hidden>
http://www.opensocietyfoundations.org

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Paul Everitt
Sent: Tuesday, September 27, 2016 7:50 AM
To: Nathaniel Katin-Borland
Subject: [Bug 1613265] Re: Increase password complexity

The password policy it:

- At least 8 characters
- No upper limit
- At least 1 special character
- At least 1 number
- At least 1 capital letter

Nat, can you confirm?

--
You received this bug notification because you are subscribed to the bug report.
https://bugs.launchpad.net/bugs/1613265

Title:
Increase password complexity

Status in KARL4:
New

Bug description:
"accept special characters and long passwords (up to 20 char)"

While we need to get the exact policy from OSF, we can at least
describe the improved facility.

  I propose to change the password enforcement to be driven by a regex
  in the conf file. I'm hoping that regular expressions can encode the
  information needed:

  - Min/max length
  - Min/max upper/lowercase
  - Min/max numbers or symbols

For the implementation, I believe this only affects the change
password view. (Does password reset use this same view?)

This task has no other corollary actions, e.g. a one-time forcing of
everyone to change their password or to log back in.

To manage notifications about this bug go to:
https://bugs.launchpad.net/karl4/+bug/1613265/+subscriptions

Revision history for this message

Carlos de la Guardia (cguardia) wrote on 2016-09-29:

This is now on our expire_passwords branch.

Changed in karl4:
status:	New → Fix Committed

Revision history for this message

Nat Katin-Borland (nborland) wrote on 2016-10-04:

Hi Carlos,

I just wanted to clarify the password policy we were hoping to have. We want 3 out of the 4 strength parameters. It looks like you implemented 4 out of 4 (upper, lower, number and special character). Can this be easily changed to 3 out of 4? Please let me know if you have any questions.

Must be at least 8 characters

Then 3 out of 4 of the following:
-At least 1 special character
-At least 1 number
-At least 1 capital letter
-At least 1 lowercase letter

Thanks!

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2016-10-05:

Carlos thinks he has a fix in place on staging that gives the 3-out-of-4 policy.

Revision history for this message

Paul Everitt (paul-agendaless) wrote on 2016-10-05:

I just tried it and it worked for me.

Paul Everitt (paul-agendaless) on 2016-10-06

Changed in karl4:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.