Redmine

The following items from the password policy should read:

2. inclusion (configurable to force or not) of one or more numerical digits (configurable);
3. inclusion of special characters configuration choice (configurable to force or not);

Hi Robert,

I've added your changes to my test redmine and I received an error when I restarted my apache

no such file to load -- password (MissingSourceFile)
Exception class:

My version of redmine is 1.2.3.

What exactly does your code do? Does it check the length of the password?

I've created a plugin that implements Password Expiry and Lock Unused Account functionality.

It is alpha quality, so use at your own risk. Further, this is my first plugin, so even alpha is more advanced that it may be :-)

Would be great to receive pull request on GitHub.

https://github.com/go2null/redmine_account_policy

The intent is to add more functionality to implement User Account rules.

1. use of both upper- and lower-case letters (case sensitivity);
   1. Plan to include in plugin
2. inclusion of one or more numerical digits;
   1. Plan to include in plugin
3. inclusion of special characters configuration choice;
   1. Plan to include in plugin
4. free of consecutive identical (configurable), all-numeric or all-alphabetic characters;
   1. Plan to include in plugin
5. change passwords at regular intervals (configurable) or based on the number of accesses (configurable); passwords for privileged accounts should be changed more frequently than normal passwords (configurable);
   1. change passwords at regular intervals (configurable) is implemented in plugin as Password Expiry.
6. avoid re-using or cycling old passwords (configurable);
   1. Redmine includes check against last password (i.e., prevent_reuse = 1)
   2. Plan to include in plugin
7. when users are required to maintain their own passwords, they should be provided initially with a secure temporary password;
   1. Redmine implements this as Generate password
8. change temporary passwords at the first log-on;
   1. Redmine implements this as Must change password at next logon
9. temporary passwords should be given to users in a secure manner; the use of third parties or unprotected (clear text) electronic mail messages should be avoided;
10. temporary passwords should be unique to an individual and should not be guessable;
    1. Redmine implements this as Generate password

1. don't display system or application identifiers until the log-on process has been successfully completed (configurable);
   1. Already implemented in Redmine
2. display a general notice warning that the computer should only be accessed by authorized users (Configurable as a choice and for the message to display);
3. don't provide help messages during the log-on procedure that would aid an unauthorized user;
   1. Already implemented in Redmine
4. validate the log-on information only on completion of all input data. If an error condition arises, the system should not indicate which part of the data is correct or incorrect;
   1. Already implemented in Redmine
5. limit the number of unsuccessful log-on attempts allowed, e.g. to three attempts (configurable with 0 = unlimited);
   1. Plan to include in plugin
6. record unsuccessful and successful attempts;
7. force a time delay before further log-on attempts are allowed (configurable and exponential);
   1. Plan to include in plugin
8. send an alarm message if the maximum number of log-on attempts is reached (configurable with email addresses);
9. display the following information on completion of a successful log-on:
   1. date and time of the previous successful log-on;
   2. details of any unsuccessful log-on attempts since the last successful log-on;
10. don't display the password being entered or consider hiding the password characters by symbols;
    1. Already implemented in Redmine
11. don't transmit passwords in clear text over a network.