Opened 17 years ago
Last modified 3 years ago
#3113 accepted enhancement
[patch] Add password policy
Reported by: | rupert thurner | Owned by: | Ryan J Ollos |
---|---|---|---|
Priority: | normal | Component: | AccountManagerPlugin |
Severity: | normal | Keywords: | password check quality |
Cc: | Yasir Assam, sukender@… | Trac Release: | 0.12 |
Description
some companies have password policies in place, like:
- reset every X days/months
- have minimum 1 uppercase character
- have minimum 1 non-ascii character
- be minimum / exact X charachters long
setting/resetting a password should allow such policies.
Attachments (1)
Change History (17)
comment:1 Changed 16 years ago by
Owner: | changed from Matt Good to John Hampton |
---|---|
Trac Release: | 0.10 → 0.11 |
comment:2 Changed 14 years ago by
Keywords: | password check quality added |
---|---|
Summary: | password policy → Add password policy |
Replying to ThurnerRupert:
some companies have password policies in place, like:
- reset every X days/months
- have minimum 1 uppercase character
- have minimum 1 non-ascii character
- be minimum / exact X charachters long
setting/resetting a password should allow such policies.
I second John (pacopablo) in assuming that this would commonly achieved by central password management anyway. But still this might not be always true. Still patches welcome.
However now, in 2010, I wouldn't care about a feature restricting password length to exactly x chars, while the minimum char policy is perfectly valid IMHO.
comment:3 follow-up: 5 Changed 14 years ago by
Just to continue the password rules list:
- disallow username-identical passwords (example - admin:admin)
comment:4 Changed 14 years ago by
Trac Release: | 0.11 → 0.12 |
---|
comment:5 Changed 14 years ago by
Replying to dnedelchev:
Just to continue the password rules list:
- disallow username-identical passwords (example - admin:admin)
Nice ideas.
By chance, is someone able to back up these ideas with some real code? I'm interested to implement, but would like to have something to start with. Otherwise it'll take a lot more time, since resolving remaining defect tickets will certainly absorb my energy for some more months.
comment:6 Changed 14 years ago by
Owner: | changed from John Hampton to Steffen Hoffmann |
---|
comment:7 Changed 14 years ago by
Hasienda, see the code below for a starting point on implementing password complexity requirements*. This somewhat follows the Windows Active Directory "strong password complexity" check where 3 of 4 requirements need to be met. Please accept my apologies for not submitting a patch as I have not familiarized myself enough with the AccountManagerPlugin codebase (I've just come across this plugin, and would find having password complexity enforcement useful).
As far as tracking password history goes, this would require storing the password hash + nonce for N changes. The defined constants could be configuration options, and default to 0 if not specified.
This validation would have to be performed any time the password is changed, whether by the system, user or administrator. Perhaps down the line you can add administrator override of password complexity (though this is usually not desirable from an audit perspective).
- Note the following code does not support non-ASCII Unicode characters (while cute, non-ASCII passwords are impractical).
import string MINIMUM_LOWER_ALPHA = 0 MINIMUM_UPPER_ALPHA = 1 MINIMUM_DIGITS = 3 MINIMUM_SPECIAL = 1 MINIMUM_LENGTH = 8 MINIMUM_CRITERIA_REQUIRED = 3 MINIMUM_SCORE = 13 # computed by summing length/upper/lower/digits/specials required def validate_password(username, password, confirm_password): if password != confirm_password: return False # Some sanity checks to keep users from using a combination of their # username in their password if username in password or password in username or password == username: return False upper = 0 lower = 0 digits = 0 special = 0 total = 0 score = 0 if len(password) < MINIMUM_LENGTH: return False score += 8 # Do not allow any non-printable ASCII characters (except 0x20) if not all(map(lambda x: 31 < ord(x) < 127, password)): return False # pseudocode ahead: # # previous_passwords = get_previous_passwords_as_list_tuples() # for oldhash, nonce in previous_passwords: # if hashpass(password, nonce) == oldhash: # return False # # return True # we passed historical requirement for ch in password: if MINIMUM_UPPER_ALPHA > 0 and ch in string.uppercase: if upper >= MINIMUM_UPPER_ALPHA: continue upper += 1 if MINIMUM_LOWER_ALPHA > 0 and ch in string.lowercase: if lower >= MINIMUM_LOWER_ALPHA: continue lower += 1 if MINIMUM_DIGITS > 0 and ch in string.digits: if digits >= MINIMUM_DIGITS: continue digits += 1 if MINIMUM_SPECIAL > 0 and ch in string.punctuation + ' ': if special >= MINIMUM_SPECIAL: continue special += 1 score += upper score += lower score += digits score += special if MINIMUM_SCORE > 0: if score < MINIMUM_SCORE: return False if upper >= MINIMUM_UPPER_ALPHA: total += 1 if lower >= MINIMUM_LOWER_ALPHA: total += 1 if digits >= MINIMUM_DIGITS: total += 1 if special >= MINIMUM_SPECIAL: total += 1 if total >= MINIMUM_CRITERIA_REQUIRED: return True return False
comment:8 Changed 14 years ago by
Status: | new → assigned |
---|---|
Summary: | Add password policy → [patch] Add password policy |
Thanks for taking your time to put down some code, pseudo-code and notes. Just some responses to randomly picked parts, I'll have to thinking through for some more time:
- limitation to ASCII chars: might be too harsh in some well administered, fully localized environments, but eliminating non-printable chars is certainly a good thing
- password quality scoring and x-out-of-y metrics: never thought about this in that detail before, but looks reasonable; other account admin experts to speak up here supporting this concept or proposing a different one?
- password history: biggest concerns so far, i.e. AFAIK this would require storing n previous password even in non-native form, as there's no way to see inside salted passwords and decide, if they're different enough, right? - definitely an optional component of the policy framework
I'm currently wondering, if we should move even various existing checks into such a dedicated checks/policy/validation module, especially the growing number of username validation tests inside the registration code.
comment:9 Changed 14 years ago by
Cc: | Yasir Assam added; anonymous removed |
---|
comment:10 Changed 14 years ago by
Cc: | sukender@… added |
---|
Hi there,
Maybe some resources you already know about, but :
- Python bindings for Cracklib:
- pypi.python.org/pypi/python-crack/0.5
- www.nongnu.org/python-crack
- You could find interesting code (MIT-licensed) at http://download.savannah.gnu.org/releases/python-crack/python-crack-0.5.1.tar.gz
- Some similar-looking code at:
comment:11 Changed 13 years ago by
Cc: | Ryan J Ollos added |
---|
comment:12 Changed 8 years ago by
Owner: | Steffen Hoffmann deleted |
---|---|
Status: | assigned → new |
comment:13 Changed 8 years ago by
#13001 closed as a duplicate, requesting the ability to force a password change every X days.
comment:14 Changed 5 years ago by
Cc: | Ryan J Ollos removed |
---|
Changed 4 years ago by
Attachment: | accountmanagerplugin_trunk_acct_mgr-0.6.0dev_ppolicy.patch added |
---|
Patch for using cracklib
comment:15 Changed 4 years ago by
Hi,
I have added a patch for using cracklib to improve passwords. The dependencies are only cracklib, cracklib-dicts & cracklib-python
comment:16 Changed 4 years ago by
Owner: | set to Ryan J Ollos |
---|---|
Status: | new → accepted |
Thanks, looks interesting. I'll give it a review.
Patches welcome here. I'm not sure where to begin on implementing that. Seems to me that companies that have such requirements will be plugging trac into their existing password stores, such as AD.