Modify

Opened 16 years ago

Last modified 3 years ago

#3113 accepted enhancement

[patch] Add password policy

Reported by: rupert thurner Owned by: Ryan J Ollos
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password check quality
Cc: Yasir Assam, sukender@… Trac Release: 0.12

Description

some companies have password policies in place, like:

  • reset every X days/months
  • have minimum 1 uppercase character
  • have minimum 1 non-ascii character
  • be minimum / exact X charachters long

setting/resetting a password should allow such policies.

Attachments (1)

accountmanagerplugin_trunk_acct_mgr-0.6.0dev_ppolicy.patch (5.9 KB) - added by Florian B. 4 years ago.
Patch for using cracklib

Download all attachments as: .zip

Change History (17)

comment:1 Changed 16 years ago by John Hampton

Owner: changed from Matt Good to John Hampton
Trac Release: 0.100.11

Patches welcome here. I'm not sure where to begin on implementing that. Seems to me that companies that have such requirements will be plugging trac into their existing password stores, such as AD.

comment:2 in reply to:  description Changed 14 years ago by Steffen Hoffmann

Keywords: password check quality added
Summary: password policyAdd password policy

Replying to ThurnerRupert:

some companies have password policies in place, like:

  • reset every X days/months
  • have minimum 1 uppercase character
  • have minimum 1 non-ascii character
  • be minimum / exact X charachters long

setting/resetting a password should allow such policies.

I second John (pacopablo) in assuming that this would commonly achieved by central password management anyway. But still this might not be always true. Still patches welcome.

However now, in 2010, I wouldn't care about a feature restricting password length to exactly x chars, while the minimum char policy is perfectly valid IMHO.

comment:3 Changed 14 years ago by dnedelchev

Just to continue the password rules list:

  • disallow username-identical passwords (example - admin:admin)

comment:4 Changed 14 years ago by dnedelchev

Trac Release: 0.110.12

comment:5 in reply to:  3 Changed 14 years ago by Steffen Hoffmann

Replying to dnedelchev:

Just to continue the password rules list:

  • disallow username-identical passwords (example - admin:admin)

Nice ideas.

By chance, is someone able to back up these ideas with some real code? I'm interested to implement, but would like to have something to start with. Otherwise it'll take a lot more time, since resolving remaining defect tickets will certainly absorb my energy for some more months.

comment:6 Changed 14 years ago by Steffen Hoffmann

Owner: changed from John Hampton to Steffen Hoffmann

comment:7 Changed 14 years ago by marcin.wielgoszewski@…

Hasienda, see the code below for a starting point on implementing password complexity requirements*. This somewhat follows the Windows Active Directory "strong password complexity" check where 3 of 4 requirements need to be met. Please accept my apologies for not submitting a patch as I have not familiarized myself enough with the AccountManagerPlugin codebase (I've just come across this plugin, and would find having password complexity enforcement useful).

As far as tracking password history goes, this would require storing the password hash + nonce for N changes. The defined constants could be configuration options, and default to 0 if not specified.

This validation would have to be performed any time the password is changed, whether by the system, user or administrator. Perhaps down the line you can add administrator override of password complexity (though this is usually not desirable from an audit perspective).

  • Note the following code does not support non-ASCII Unicode characters (while cute, non-ASCII passwords are impractical).
import string
MINIMUM_LOWER_ALPHA = 0
MINIMUM_UPPER_ALPHA = 1
MINIMUM_DIGITS = 3
MINIMUM_SPECIAL = 1
MINIMUM_LENGTH = 8
MINIMUM_CRITERIA_REQUIRED = 3
MINIMUM_SCORE = 13    # computed by summing length/upper/lower/digits/specials required


def validate_password(username, password, confirm_password):
    if password != confirm_password:
        return False

    # Some sanity checks to keep users from using a combination of their
    # username in their password
    if username in password or password in username or password == username:
        return False

    upper = 0
    lower = 0
    digits = 0
    special = 0
    total = 0
    score = 0

    if len(password) < MINIMUM_LENGTH:
        return False

    score += 8

    # Do not allow any non-printable ASCII characters (except 0x20)
    if not all(map(lambda x: 31 < ord(x) < 127, password)):
        return False
    # pseudocode ahead:
    #
    # previous_passwords = get_previous_passwords_as_list_tuples()
    # for oldhash, nonce in previous_passwords:
    #  if hashpass(password, nonce) == oldhash:
    #   return False
    #
    # return True # we passed historical requirement

    for ch in password:
        if MINIMUM_UPPER_ALPHA > 0 and ch in string.uppercase:
            if upper >= MINIMUM_UPPER_ALPHA:
                continue
            upper += 1

        if MINIMUM_LOWER_ALPHA > 0 and ch in string.lowercase:
            if lower >= MINIMUM_LOWER_ALPHA:
                continue
            lower += 1

        if MINIMUM_DIGITS > 0 and ch in string.digits:
            if digits >= MINIMUM_DIGITS:
                continue
            digits += 1

        if MINIMUM_SPECIAL > 0 and ch in string.punctuation + ' ':
            if special >= MINIMUM_SPECIAL:
                continue
            special += 1

    score += upper
    score += lower
    score += digits
    score += special

    if MINIMUM_SCORE > 0:
        if score < MINIMUM_SCORE:
            return False

    if upper >= MINIMUM_UPPER_ALPHA:
        total += 1

    if lower >= MINIMUM_LOWER_ALPHA:
        total += 1

    if digits >= MINIMUM_DIGITS:
        total += 1

    if special >= MINIMUM_SPECIAL:
        total += 1

    if total >= MINIMUM_CRITERIA_REQUIRED:
        return True

    return False

comment:8 Changed 14 years ago by Steffen Hoffmann

Status: newassigned
Summary: Add password policy[patch] Add password policy

Thanks for taking your time to put down some code, pseudo-code and notes. Just some responses to randomly picked parts, I'll have to thinking through for some more time:

  • limitation to ASCII chars: might be too harsh in some well administered, fully localized environments, but eliminating non-printable chars is certainly a good thing
  • password quality scoring and x-out-of-y metrics: never thought about this in that detail before, but looks reasonable; other account admin experts to speak up here supporting this concept or proposing a different one?
  • password history: biggest concerns so far, i.e. AFAIK this would require storing n previous password even in non-native form, as there's no way to see inside salted passwords and decide, if they're different enough, right? - definitely an optional component of the policy framework

I'm currently wondering, if we should move even various existing checks into such a dedicated checks/policy/validation module, especially the growing number of username validation tests inside the registration code.

comment:9 Changed 14 years ago by Yasir Assam

Cc: Yasir Assam added; anonymous removed

comment:10 Changed 14 years ago by sukender@…

Cc: sukender@… added

Hi there,

Maybe some resources you already know about, but :

comment:11 Changed 13 years ago by Ryan J Ollos

Cc: Ryan J Ollos added

comment:12 Changed 8 years ago by Ryan J Ollos

Owner: Steffen Hoffmann deleted
Status: assignednew

comment:13 Changed 8 years ago by Ryan J Ollos

#13001 closed as a duplicate, requesting the ability to force a password change every X days.

comment:14 Changed 4 years ago by Ryan J Ollos

Cc: Ryan J Ollos removed

Changed 4 years ago by Florian B.

Patch for using cracklib

comment:15 Changed 4 years ago by Florian B.

Hi,

I have added a patch for using cracklib to improve passwords. The dependencies are only cracklib, cracklib-dicts & cracklib-python

comment:16 Changed 4 years ago by Ryan J Ollos

Owner: set to Ryan J Ollos
Status: newaccepted

Thanks, looks interesting. I'll give it a review.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as accepted The owner will remain Ryan J Ollos.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.