Project

General

Profile

Actions

Feature #4221

closed

Force passwords to contain specified character classes

Added by jim joseph about 15 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Accounts / authentication
Target version:
Start date:
2009-11-16
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

I would like to enforce strong password for users in redmine. As if now redmine will accept any four letter password. Is there a way that applicaton checks how strong a password is when a new user register in it.

Can we implement any password generator with redmine?


Files


Related issues

Related to Redmine - Feature #3872: New user password - better functionalityClosedJean-Philippe Lang2009-09-15

Actions
Related to Redmine - Feature #3155: Password policy and secure logon procedureNew2009-04-10

Actions
Related to Redmine - Defect #37449: Passing a wrong parameter to `with_settings` in UserTest::test_random_password_include_required_charactersClosedGo MAEDA

Actions
Has duplicate Redmine - Feature #25054: Enforcing Strong Password in RedmineClosed

Actions
Actions #1

Updated by Jean-Philippe Lang about 15 years ago

As of r2678, you can specify the minimum password length in settings.
But a minimum password strength setting could be also added (eg. Fair, Strong, Very strong) using kind of password strengh meter.

Actions #2

Updated by Jean-Philippe Lang about 15 years ago

  • Category set to Accounts / authentication
Actions #3

Updated by Henrik Ammer about 15 years ago

Jean-Philippe Lang wrote:

But a minimum password strength setting could be also added (eg. Fair, Strong, Very strong) using kind of password strengh meter.

I would love to see this!

Actions #4

Updated by Samuel Suther over 11 years ago

*1

Actions #5

Updated by @ go2null over 11 years ago

Can we implement any password generator with redmine?

  • Implemented in v2.4.0 - Feature #3872 New user password - better functionality
Actions #6

Updated by Toshi MARUYAMA over 11 years ago

  • Related to Feature #3872: New user password - better functionality added
Actions #7

Updated by Simon O almost 11 years ago

1
The new feature implemented in 2.4.0
+ referring to Feature #3872 includes a secured password generator.
However, if users may change their password at first login, they may pick "aaaaaaaa" which is far away from being secure. Thus, I also recommend to add a kind of password security check as suggested by jim joseph.
Please reopen ticket.
Thanks a lot!

Actions #8

Updated by Aleksandar Pavic almost 9 years ago

+1

There are some recent efforts as I can see.

https://github.com/simonswine/redmine_password_tool
https://github.com/go2null/redmine_account_policy

But this should be a core system feature, it is a must for enterprise use.

Actions #9

Updated by Toshi MARUYAMA almost 8 years ago

  • Has duplicate Feature #25054: Enforcing Strong Password in Redmine added
Actions #10

Updated by Go MAEDA over 5 years ago

  • Related to Feature #3155: Password policy and secure logon procedure added
Actions #11

Updated by Takenori TAKAKI over 5 years ago

+
If we can enforce password strength, Redmine will be used in environments where some security policy is required.
I post a patch, as I implemented the following features:
  • Enable to setting password strength in admin settings
  • Enable to selecting the enforce character types (Uppercase, Lowercase, Digits, Special characters).
  • Validation for each enforce character types
Actions #12

Updated by Go MAEDA over 5 years ago

  • Priority changed from High to Normal
  • Target version set to Candidate for next major release
Actions #13

Updated by Go MAEDA over 5 years ago

I think the validation in enforce-password-char-types.patch should cover all ASCII special characters, such as '(', ')', '+', '-', and '_'. The following code does that.

diff --git a/app/models/setting.rb b/app/models/setting.rb
index b18f8ed89..4171fa04e 100644
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -19,6 +19,13 @@

 class Setting < ActiveRecord::Base

+  PASSWORD_REQUIRED_CHARACTER_CLASSES = {
+        'uppercase'          => /[A-Z]/,
+        'lowercase'          => /[a-z]/,
+        'digits'             => /[0-9]/,
+        'special_characters' => /[[:ascii:]&&[:graph:]&&[:^alnum:]]/
+    }
+
   DATE_FORMATS = [
         '%Y-%m-%d',
         '%d/%m/%Y',
Actions #14

Updated by Takenori TAKAKI over 5 years ago

Thank you Mr. Maeda.
I change a patch and post it again.
  • Changed definition of 'special_characters' to the code proposed by Mr. Maeda
  • Changed regular expression in validation of special characters. => Almost all special characters within the ASCII range can be used.
  • Shortened constant and label names.
  • On password generation, contain special characters only when special characters are required.
  • Added display of usable characters such as "Change Password" Form.
Actions #15

Updated by Go MAEDA over 5 years ago

  • Target version changed from Candidate for next major release to 4.1.0

LGTM. Setting the target version to 4.1.0.

Actions #16

Updated by Go MAEDA over 5 years ago

This is the screenshot of enforce-password-char-types-v2.patch. Admins can force users to include specified character classes (uppercase, lowercase, digits, or special Characters) in their password. This feature must be welcomed by many admins.

Actions #17

Updated by Go MAEDA over 5 years ago

  • Subject changed from Enforcing Strong Password for Users to Force passwords to contain specified character classes
  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch. Thank you for improving Redmine.

Actions #19

Updated by Go MAEDA over 2 years ago

  • Related to Defect #37449: Passing a wrong parameter to `with_settings` in UserTest::test_random_password_include_required_characters added
Actions

Also available in: Atom PDF