Modify

Opened 6 years ago

Last modified 3 years ago

#3113 assigned enhancement

[patch] Add password policy

Reported by: ThurnerRupert Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password check quality
Cc: yassam, sukender@…, rjollos Trac Release: 0.12

Description

some companies have password policies in place, like:

  • reset every X days/months
  • have minimum 1 uppercase character
  • have minimum 1 non-ascii character
  • be minimum / exact X charachters long

setting/resetting a password should allow such policies.

Attachments (0)

Change History (11)

comment:1 Changed 6 years ago by pacopablo

  • Owner changed from mgood to pacopablo
  • Trac Release changed from 0.10 to 0.11

Patches welcome here. I'm not sure where to begin on implementing that. Seems to me that companies that have such requirements will be plugging trac into their existing password stores, such as AD.

comment:2 in reply to: ↑ description Changed 4 years ago by hasienda

  • Keywords password check quality added
  • Summary changed from password policy to Add password policy

Replying to ThurnerRupert:

some companies have password policies in place, like:

  • reset every X days/months
  • have minimum 1 uppercase character
  • have minimum 1 non-ascii character
  • be minimum / exact X charachters long

setting/resetting a password should allow such policies.

I second John (pacopablo) in assuming that this would commonly achieved by central password management anyway. But still this might not be always true. Still patches welcome.

However now, in 2010, I wouldn't care about a feature restricting password length to exactly x chars, while the minimum char policy is perfectly valid IMHO.

comment:3 follow-up: Changed 4 years ago by dnedelchev

Just to continue the password rules list:

  • disallow username-identical passwords (example - admin:admin)

comment:4 Changed 4 years ago by dnedelchev

  • Trac Release changed from 0.11 to 0.12

comment:5 in reply to: ↑ 3 Changed 4 years ago by hasienda

Replying to dnedelchev:

Just to continue the password rules list:

  • disallow username-identical passwords (example - admin:admin)

Nice ideas.

By chance, is someone able to back up these ideas with some real code? I'm interested to implement, but would like to have something to start with. Otherwise it'll take a lot more time, since resolving remaining defect tickets will certainly absorb my energy for some more months.

comment:6 Changed 4 years ago by hasienda

  • Owner changed from pacopablo to hasienda

comment:7 Changed 4 years ago by marcin.wielgoszewski@…

Hasienda, see the code below for a starting point on implementing password complexity requirements*. This somewhat follows the Windows Active Directory "strong password complexity" check where 3 of 4 requirements need to be met. Please accept my apologies for not submitting a patch as I have not familiarized myself enough with the AccountManagerPlugin codebase (I've just come across this plugin, and would find having password complexity enforcement useful).

As far as tracking password history goes, this would require storing the password hash + nonce for N changes. The defined constants could be configuration options, and default to 0 if not specified.

This validation would have to be performed any time the password is changed, whether by the system, user or administrator. Perhaps down the line you can add administrator override of password complexity (though this is usually not desirable from an audit perspective).

  • Note the following code does not support non-ASCII Unicode characters (while cute, non-ASCII passwords are impractical).
import string
MINIMUM_LOWER_ALPHA = 0
MINIMUM_UPPER_ALPHA = 1
MINIMUM_DIGITS = 3
MINIMUM_SPECIAL = 1
MINIMUM_LENGTH = 8
MINIMUM_CRITERIA_REQUIRED = 3
MINIMUM_SCORE = 13    # computed by summing length/upper/lower/digits/specials required


def validate_password(username, password, confirm_password):
    if password != confirm_password:
        return False

    # Some sanity checks to keep users from using a combination of their
    # username in their password
    if username in password or password in username or password == username:
        return False

    upper = 0
    lower = 0
    digits = 0
    special = 0
    total = 0
    score = 0

    if len(password) < MINIMUM_LENGTH:
        return False

    score += 8

    # Do not allow any non-printable ASCII characters (except 0x20)
    if not all(map(lambda x: 31 < ord(x) < 127, password)):
        return False
    # pseudocode ahead:
    #
    # previous_passwords = get_previous_passwords_as_list_tuples()
    # for oldhash, nonce in previous_passwords:
    #  if hashpass(password, nonce) == oldhash:
    #   return False
    #
    # return True # we passed historical requirement

    for ch in password:
        if MINIMUM_UPPER_ALPHA > 0 and ch in string.uppercase:
            if upper >= MINIMUM_UPPER_ALPHA:
                continue
            upper += 1

        if MINIMUM_LOWER_ALPHA > 0 and ch in string.lowercase:
            if lower >= MINIMUM_LOWER_ALPHA:
                continue
            lower += 1

        if MINIMUM_DIGITS > 0 and ch in string.digits:
            if digits >= MINIMUM_DIGITS:
                continue
            digits += 1

        if MINIMUM_SPECIAL > 0 and ch in string.punctuation + ' ':
            if special >= MINIMUM_SPECIAL:
                continue
            special += 1

    score += upper
    score += lower
    score += digits
    score += special

    if MINIMUM_SCORE > 0:
        if score < MINIMUM_SCORE:
            return False

    if upper >= MINIMUM_UPPER_ALPHA:
        total += 1

    if lower >= MINIMUM_LOWER_ALPHA:
        total += 1

    if digits >= MINIMUM_DIGITS:
        total += 1

    if special >= MINIMUM_SPECIAL:
        total += 1

    if total >= MINIMUM_CRITERIA_REQUIRED:
        return True

    return False

comment:8 Changed 4 years ago by hasienda

  • Status changed from new to assigned
  • Summary changed from Add password policy to [patch] Add password policy

Thanks for taking your time to put down some code, pseudo-code and notes. Just some responses to randomly picked parts, I'll have to thinking through for some more time:

  • limitation to ASCII chars: might be too harsh in some well administered, fully localized environments, but eliminating non-printable chars is certainly a good thing
  • password quality scoring and x-out-of-y metrics: never thought about this in that detail before, but looks reasonable; other account admin experts to speak up here supporting this concept or proposing a different one?
  • password history: biggest concerns so far, i.e. AFAIK this would require storing n previous password even in non-native form, as there's no way to see inside salted passwords and decide, if they're different enough, right? - definitely an optional component of the policy framework

I'm currently wondering, if we should move even various existing checks into such a dedicated checks/policy/validation module, especially the growing number of username validation tests inside the registration code.

comment:9 Changed 4 years ago by yassam

  • Cc yassam added

comment:10 Changed 3 years ago by sukender at free dot fr

  • Cc sukender@… added

Hi there,

Maybe some resources you already know about, but :

comment:11 Changed 3 years ago by rjollos

  • Cc rjollos added

Add Comment

Modify Ticket

Action
as assigned .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.