Feature #4221
Force passwords to contain specified character classes
| Status: | Closed | Start date: | 2009-11-16 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Go MAEDA | % Done: | 0% | |
| Category: | Accounts / authentication | |||
| Target version: | 4.1.0 | |||
| Resolution: | Fixed |
Description
I would like to enforce strong password for users in redmine. As if now redmine will accept any four letter password. Is there a way that applicaton checks how strong a password is when a new user register in it.
Can we implement any password generator with redmine?
enforce-password-char-types.patch 
(7.98 KB)
enforce-password-char-types-v2.patch
(11 KB)
setting-required-character-classes-for-passwords@2x.png (48.4 KB)
Related issues
Associated revisions
Force passwords to contain specified character classes (#4221).
Patch by Takenori TAKAKI.
Update locales (#4221).
Update locales (#4221).
Send security notifications when password_required_char_classes setting is changed (#4221).
History
#1
Updated by Jean-Philippe Lang over 12 years ago
As of r2678, you can specify the minimum password length in settings.
But a minimum password strength setting could be also added (eg. Fair, Strong, Very strong) using kind of password strengh meter.
#2
Updated by Jean-Philippe Lang over 12 years ago
- Category set to Accounts / authentication
#3
Updated by Henrik Ammer over 12 years ago
Jean-Philippe Lang wrote:
But a minimum password strength setting could be also added (eg. Fair, Strong, Very strong) using kind of password strengh meter.
I would love to see this!
#4
Updated by Samuel Suther about 9 years ago
*1
#5
Updated by @ go2null about 9 years ago
#6
Updated by Toshi MARUYAMA about 9 years ago
- Related to Feature #3872: New user password - better functionality added
#7
Updated by Simon O over 8 years ago
1
The new feature implemented in 2.4.0+ referring to Feature #3872 includes a secured password generator.
However, if users may change their password at first login, they may pick "aaaaaaaa" which is far away from being secure. Thus, I also recommend to add a kind of password security check as suggested by jim joseph.
Please reopen ticket.
Thanks a lot!
#8
Updated by Aleksandar Pavic over 6 years ago
+1
There are some recent efforts as I can see.
https://github.com/simonswine/redmine_password_tool
https://github.com/go2null/redmine_account_policy
But this should be a core system feature, it is a must for enterprise use.
#9
Updated by Toshi MARUYAMA over 5 years ago
- Duplicated by Feature #25054: Enforcing Strong Password in Redmine added
#10
Updated by Go MAEDA over 3 years ago
- Related to Feature #3155: Password policy and secure logon procedure added
#11
Updated by Takenori TAKAKI about 3 years ago
- File enforce-password-char-types.patch added
If we can enforce password strength, Redmine will be used in environments where some security policy is required.
I post a patch, as I implemented the following features:
- Enable to setting password strength in admin settings
- Enable to selecting the enforce character types (Uppercase, Lowercase, Digits, Special characters).
- Validation for each enforce character types
#12
Updated by Go MAEDA about 3 years ago
- Priority changed from High to Normal
- Target version set to Candidate for next major release
#13
Updated by Go MAEDA about 3 years ago
I think the validation in enforce-password-char-types.patch should cover all ASCII special characters, such as '(', ')', '+', '-', and '_'. The following code does that.
diff --git a/app/models/setting.rb b/app/models/setting.rb
index b18f8ed89..4171fa04e 100644
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -19,6 +19,13 @@
class Setting < ActiveRecord::Base
+ PASSWORD_REQUIRED_CHARACTER_CLASSES = {
+ 'uppercase' => /[A-Z]/,
+ 'lowercase' => /[a-z]/,
+ 'digits' => /[0-9]/,
+ 'special_characters' => /[[:ascii:]&&[:graph:]&&[:^alnum:]]/
+ }
+
DATE_FORMATS = [
'%Y-%m-%d',
'%d/%m/%Y',
#14
Updated by Takenori TAKAKI almost 3 years ago
- File enforce-password-char-types-v2.patch added
I change a patch and post it again.
- Changed definition of 'special_characters' to the code proposed by Mr. Maeda
- Changed regular expression in validation of special characters. => Almost all special characters within the ASCII range can be used.
- Shortened constant and label names.
- On password generation, contain special characters only when special characters are required.
- Added display of usable characters such as "Change Password" Form.
#15
Updated by Go MAEDA almost 3 years ago
- Target version changed from Candidate for next major release to 4.1.0
LGTM. Setting the target version to 4.1.0.
#16
Updated by Go MAEDA almost 3 years ago
This is the screenshot of enforce-password-char-types-v2.patch. Admins can force users to include specified character classes (uppercase, lowercase, digits, or special Characters) in their password. This feature must be welcomed by many admins.
#17
Updated by Go MAEDA almost 3 years ago
- Subject changed from Enforcing Strong Password for Users to Force passwords to contain specified character classes
- Status changed from New to Closed
- Assignee set to Go MAEDA
- Resolution set to Fixed
Committed the patch. Thank you for improving Redmine.
#19
Updated by Go MAEDA 25 days ago
- Related to Defect #37449: Passing a wrong parameter to `with_settings` in UserTest::test_random_password_include_required_characters added