[patch] Add password policy

[rupert thurner]

some companies have password policies in place, like:

• reset every X days/months
• have minimum 1 uppercase character
• have minimum 1 non-ascii character
• be minimum / exact X charachters long

setting/resetting a password should allow such policies.

[John Hampton]

Patches welcome here. I'm not sure where to begin on implementing that. Seems to me that companies that have such requirements will be plugging trac into their existing password stores, such as AD.

[Steffen Hoffmann]

Replying to ThurnerRupert:

some companies have password policies in place, like:

• reset every X days/months
• have minimum 1 uppercase character
• have minimum 1 non-ascii character
• be minimum / exact X charachters long

setting/resetting a password should allow such policies.

I second John (pacopablo) in assuming that this would commonly achieved by central password management anyway. But still this might not be always true. Still ​patches welcome.

However now, in 2010, I wouldn't care about a feature restricting password length to exactly x chars, while the minimum char policy is perfectly valid IMHO.

[dnedelchev]

Just to continue the password rules list:

• disallow username-identical passwords (example - admin:admin)

[Steffen Hoffmann]

Replying to dnedelchev:

Just to continue the password rules list:

• disallow username-identical passwords (example - admin:admin)

Nice ideas.

By chance, is someone able to back up these ideas with some real code? I'm interested to implement, but would like to have something to start with. Otherwise it'll take a lot more time, since resolving remaining defect tickets will certainly absorb my energy for some more months.

[marcin.wielgoszewski@…]

Hasienda, see the code below for a starting point on implementing password complexity requirements*. This somewhat follows the Windows Active Directory "strong password complexity" check where 3 of 4 requirements need to be met. Please accept my apologies for not submitting a patch as I have not familiarized myself enough with the AccountManagerPlugin codebase (I've just come across this plugin, and would find having password complexity enforcement useful).

As far as tracking password history goes, this would require storing the password hash + nonce for N changes. The defined constants could be configuration options, and default to 0 if not specified.

This validation would have to be performed any time the password is changed, whether by the system, user or administrator. Perhaps down the line you can add administrator override of password complexity (though this is usually not desirable from an audit perspective).

• Note the following code does not support non-ASCII Unicode characters (while cute, non-ASCII passwords are impractical).

import string
MINIMUM_LOWER_ALPHA = 0
MINIMUM_UPPER_ALPHA = 1
MINIMUM_DIGITS = 3
MINIMUM_SPECIAL = 1
MINIMUM_LENGTH = 8
MINIMUM_CRITERIA_REQUIRED = 3
MINIMUM_SCORE = 13    # computed by summing length/upper/lower/digits/specials required


def validate_password(username, password, confirm_password):
    if password != confirm_password:
        return False

    # Some sanity checks to keep users from using a combination of their
    # username in their password
    if username in password or password in username or password == username:
        return False

    upper = 0
    lower = 0
    digits = 0
    special = 0
    total = 0
    score = 0

    if len(password) < MINIMUM_LENGTH:
        return False

    score += 8

    # Do not allow any non-printable ASCII characters (except 0x20)
    if not all(map(lambda x: 31 < ord(x) < 127, password)):
        return False
    # pseudocode ahead:
    #
    # previous_passwords = get_previous_passwords_as_list_tuples()
    # for oldhash, nonce in previous_passwords:
    #  if hashpass(password, nonce) == oldhash:
    #   return False
    #
    # return True # we passed historical requirement

    for ch in password:
        if MINIMUM_UPPER_ALPHA > 0 and ch in string.uppercase:
            if upper >= MINIMUM_UPPER_ALPHA:
                continue
            upper += 1

        if MINIMUM_LOWER_ALPHA > 0 and ch in string.lowercase:
            if lower >= MINIMUM_LOWER_ALPHA:
                continue
            lower += 1

        if MINIMUM_DIGITS > 0 and ch in string.digits:
            if digits >= MINIMUM_DIGITS:
                continue
            digits += 1

        if MINIMUM_SPECIAL > 0 and ch in string.punctuation + ' ':
            if special >= MINIMUM_SPECIAL:
                continue
            special += 1

    score += upper
    score += lower
    score += digits
    score += special

    if MINIMUM_SCORE > 0:
        if score < MINIMUM_SCORE:
            return False

    if upper >= MINIMUM_UPPER_ALPHA:
        total += 1

    if lower >= MINIMUM_LOWER_ALPHA:
        total += 1

    if digits >= MINIMUM_DIGITS:
        total += 1

    if special >= MINIMUM_SPECIAL:
        total += 1

    if total >= MINIMUM_CRITERIA_REQUIRED:
        return True

    return False

[Steffen Hoffmann]

Thanks for taking your time to put down some code, pseudo-code and notes. Just some responses to randomly picked parts, I'll have to thinking through for some more time:

• limitation to ASCII chars: might be too harsh in some well administered, fully localized environments, but eliminating non-printable chars is certainly a good thing
• password quality scoring and x-out-of-y metrics: never thought about this in that detail before, but looks reasonable; other account admin experts to speak up here supporting this concept or proposing a different one?
• password history: biggest concerns so far, i.e. AFAIK this would require storing n previous password even in non-native form, as there's no way to see inside salted passwords and decide, if they're different enough, right? - definitely an optional component of the policy framework

I'm currently wondering, if we should move even various existing checks into such a dedicated checks/policy/validation module, especially the growing number of username validation tests inside the registration code.

[sukender@…]

Hi there,

Maybe some resources you already know about, but :

• Python bindings for Cracklib:
  • pypi.python.org/pypi/python-crack/0.5
  • www.nongnu.org/python-crack
    • You could find interesting code (MIT-licensed) at ​http://download.savannah.gnu.org/releases/python-crack/python-crack-0.5.1.tar.gz
• Some similar-looking code at:
  • ​http://passwordadvisor.com/CodePython.aspx
  • ​http://stackoverflow.com/questions/75057/what-is-the-best-way-to-check-the-strength-of-a-password

[Ryan J Ollos]

#13001 closed as a duplicate, requesting the ability to force a password change every X days.

[Florian B.]

Patch for using cracklib

[Florian B.]

Hi,

I have added a patch for using cracklib to improve passwords. The dependencies are only cracklib, cracklib-dicts & cracklib-python

[Ryan J Ollos]

Thanks, looks interesting. I'll give it a review.