Opened 9 years ago

Last modified 4 months ago

#3113 new enhancement

[patch] Add password policy

Reported by: rupert thurner Owned by:
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: password check quality
Cc: Yasir Assam, sukender@…, Ryan J Ollos Trac Release: 0.12


some companies have password policies in place, like:

  • reset every X days/months
  • have minimum 1 uppercase character
  • have minimum 1 non-ascii character
  • be minimum / exact X charachters long

setting/resetting a password should allow such policies.

Attachments (0)

Change History (13)

comment:1 Changed 8 years ago by John Hampton

Owner: changed from Matt Good to John Hampton
Trac Release: 0.100.11

Patches welcome here. I'm not sure where to begin on implementing that. Seems to me that companies that have such requirements will be plugging trac into their existing password stores, such as AD.

comment:2 in reply to:  description Changed 7 years ago by Steffen Hoffmann

Keywords: password check quality added
Summary: password policyAdd password policy

Replying to ThurnerRupert:

some companies have password policies in place, like:

  • reset every X days/months
  • have minimum 1 uppercase character
  • have minimum 1 non-ascii character
  • be minimum / exact X charachters long

setting/resetting a password should allow such policies.

I second John (pacopablo) in assuming that this would commonly achieved by central password management anyway. But still this might not be always true. Still patches welcome.

However now, in 2010, I wouldn't care about a feature restricting password length to exactly x chars, while the minimum char policy is perfectly valid IMHO.

comment:3 Changed 6 years ago by dnedelchev

Just to continue the password rules list:

  • disallow username-identical passwords (example - admin:admin)

comment:4 Changed 6 years ago by dnedelchev

Trac Release: 0.110.12

comment:5 in reply to:  3 Changed 6 years ago by Steffen Hoffmann

Replying to dnedelchev:

Just to continue the password rules list:

  • disallow username-identical passwords (example - admin:admin)

Nice ideas.

By chance, is someone able to back up these ideas with some real code? I'm interested to implement, but would like to have something to start with. Otherwise it'll take a lot more time, since resolving remaining defect tickets will certainly absorb my energy for some more months.

comment:6 Changed 6 years ago by Steffen Hoffmann

Owner: changed from John Hampton to Steffen Hoffmann

comment:7 Changed 6 years ago by marcin.wielgoszewski@…

Hasienda, see the code below for a starting point on implementing password complexity requirements*. This somewhat follows the Windows Active Directory "strong password complexity" check where 3 of 4 requirements need to be met. Please accept my apologies for not submitting a patch as I have not familiarized myself enough with the AccountManagerPlugin codebase (I've just come across this plugin, and would find having password complexity enforcement useful).

As far as tracking password history goes, this would require storing the password hash + nonce for N changes. The defined constants could be configuration options, and default to 0 if not specified.

This validation would have to be performed any time the password is changed, whether by the system, user or administrator. Perhaps down the line you can add administrator override of password complexity (though this is usually not desirable from an audit perspective).

  • Note the following code does not support non-ASCII Unicode characters (while cute, non-ASCII passwords are impractical).
import string
MINIMUM_SCORE = 13    # computed by summing length/upper/lower/digits/specials required

def validate_password(username, password, confirm_password):
    if password != confirm_password:
        return False

    # Some sanity checks to keep users from using a combination of their
    # username in their password
    if username in password or password in username or password == username:
        return False

    upper = 0
    lower = 0
    digits = 0
    special = 0
    total = 0
    score = 0

    if len(password) < MINIMUM_LENGTH:
        return False

    score += 8

    # Do not allow any non-printable ASCII characters (except 0x20)
    if not all(map(lambda x: 31 < ord(x) < 127, password)):
        return False
    # pseudocode ahead:
    # previous_passwords = get_previous_passwords_as_list_tuples()
    # for oldhash, nonce in previous_passwords:
    #  if hashpass(password, nonce) == oldhash:
    #   return False
    # return True # we passed historical requirement

    for ch in password:
        if MINIMUM_UPPER_ALPHA > 0 and ch in string.uppercase:
            if upper >= MINIMUM_UPPER_ALPHA:
            upper += 1

        if MINIMUM_LOWER_ALPHA > 0 and ch in string.lowercase:
            if lower >= MINIMUM_LOWER_ALPHA:
            lower += 1

        if MINIMUM_DIGITS > 0 and ch in string.digits:
            if digits >= MINIMUM_DIGITS:
            digits += 1

        if MINIMUM_SPECIAL > 0 and ch in string.punctuation + ' ':
            if special >= MINIMUM_SPECIAL:
            special += 1

    score += upper
    score += lower
    score += digits
    score += special

    if MINIMUM_SCORE > 0:
        if score < MINIMUM_SCORE:
            return False

    if upper >= MINIMUM_UPPER_ALPHA:
        total += 1

    if lower >= MINIMUM_LOWER_ALPHA:
        total += 1

    if digits >= MINIMUM_DIGITS:
        total += 1

    if special >= MINIMUM_SPECIAL:
        total += 1

        return True

    return False

comment:8 Changed 6 years ago by Steffen Hoffmann

Status: newassigned
Summary: Add password policy[patch] Add password policy

Thanks for taking your time to put down some code, pseudo-code and notes. Just some responses to randomly picked parts, I'll have to thinking through for some more time:

  • limitation to ASCII chars: might be too harsh in some well administered, fully localized environments, but eliminating non-printable chars is certainly a good thing
  • password quality scoring and x-out-of-y metrics: never thought about this in that detail before, but looks reasonable; other account admin experts to speak up here supporting this concept or proposing a different one?
  • password history: biggest concerns so far, i.e. AFAIK this would require storing n previous password even in non-native form, as there's no way to see inside salted passwords and decide, if they're different enough, right? - definitely an optional component of the policy framework

I'm currently wondering, if we should move even various existing checks into such a dedicated checks/policy/validation module, especially the growing number of username validation tests inside the registration code.

comment:9 Changed 6 years ago by Yasir Assam

Cc: Yasir Assam added; anonymous removed

comment:10 Changed 6 years ago by sukender@…

Cc: sukender@… added

Hi there,

Maybe some resources you already know about, but :

comment:11 Changed 5 years ago by Ryan J Ollos

Cc: Ryan J Ollos added

comment:12 Changed 4 months ago by Ryan J Ollos

Owner: Steffen Hoffmann deleted
Status: assignednew

comment:13 Changed 4 months ago by Ryan J Ollos

#13001 closed as a duplicate, requesting the ability to force a password change every X days.

Modify Ticket

Change Properties
Set your email in Preferences
as new The ticket will remain with no owner.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.