Feature #4221

Force passwords to contain specified character classes

Added by jim joseph almost 11 years ago. Updated about 1 year ago.

Status:ClosedStart date:2009-11-16
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:Accounts / authentication
Target version:4.1.0
Resolution:Fixed

Description

I would like to enforce strong password for users in redmine. As if now redmine will accept any four letter password. Is there a way that applicaton checks how strong a password is when a new user register in it.

Can we implement any password generator with redmine?

enforce-password-char-types.patch Magnifier (7.98 KB) Takenori TAKAKI, 2019-08-02 09:19

enforce-password-char-types-v2.patch Magnifier (11 KB) Takenori TAKAKI, 2019-08-27 09:37

setting-required-character-classes-for-passwords@2x.png (48.4 KB) Go MAEDA, 2019-08-28 05:51

Related issues

Related to Redmine - Feature #3872: New user password - better functionality Closed 2009-09-15
Related to Redmine - Feature #3155: Password policy and secure logon procedure New 2009-04-10
Duplicated by Redmine - Feature #25054: Enforcing Strong Password in Redmine Closed

Associated revisions

Revision 18411
Added by Go MAEDA about 1 year ago

Force passwords to contain specified character classes (#4221).

Patch by Takenori TAKAKI.

Revision 18412
Added by Go MAEDA about 1 year ago

Update locales (#4221).

Revision 18413
Added by Go MAEDA about 1 year ago

Update locales (#4221).

Revision 18414
Added by Go MAEDA about 1 year ago

Send security notifications when password_required_char_classes setting is changed (#4221).

History

#1 Updated by Jean-Philippe Lang almost 11 years ago

As of r2678, you can specify the minimum password length in settings.
But a minimum password strength setting could be also added (eg. Fair, Strong, Very strong) using kind of password strengh meter.

#2 Updated by Jean-Philippe Lang almost 11 years ago

  • Category set to Accounts / authentication

#3 Updated by Henrik Ammer almost 11 years ago

Jean-Philippe Lang wrote:

But a minimum password strength setting could be also added (eg. Fair, Strong, Very strong) using kind of password strengh meter.

I would love to see this!

#4 Updated by Samuel Suther about 7 years ago

*1

#5 Updated by @ go2null about 7 years ago

Can we implement any password generator with redmine?

  • Implemented in v2.4.0 - Feature #3872 New user password - better functionality

#6 Updated by Toshi MARUYAMA about 7 years ago

  • Related to Feature #3872: New user password - better functionality added

#7 Updated by Simon O over 6 years ago

1
The new feature implemented in 2.4.0+ referring to Feature #3872 includes a secured password generator.
However, if users may change their password at first login, they may pick "aaaaaaaa" which is far away from being secure. Thus, I also recommend to add a kind of password security check as suggested by jim joseph.
Please reopen ticket.
Thanks a lot!

#8 Updated by Aleksandar Pavic over 4 years ago

+1

There are some recent efforts as I can see.

https://github.com/simonswine/redmine_password_tool
https://github.com/go2null/redmine_account_policy

But this should be a core system feature, it is a must for enterprise use.

#9 Updated by Toshi MARUYAMA over 3 years ago

  • Duplicated by Feature #25054: Enforcing Strong Password in Redmine added

#10 Updated by Go MAEDA over 1 year ago

  • Related to Feature #3155: Password policy and secure logon procedure added

#11 Updated by Takenori TAKAKI about 1 year ago

+
If we can enforce password strength, Redmine will be used in environments where some security policy is required.
I post a patch, as I implemented the following features:
  • Enable to setting password strength in admin settings
  • Enable to selecting the enforce character types (Uppercase, Lowercase, Digits, Special characters).
  • Validation for each enforce character types

#12 Updated by Go MAEDA about 1 year ago

  • Priority changed from High to Normal
  • Target version set to Candidate for next major release

#13 Updated by Go MAEDA about 1 year ago

I think the validation in enforce-password-char-types.patch should cover all ASCII special characters, such as '(', ')', '+', '-', and '_'. The following code does that.

diff --git a/app/models/setting.rb b/app/models/setting.rb
index b18f8ed89..4171fa04e 100644
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -19,6 +19,13 @@

 class Setting < ActiveRecord::Base

+  PASSWORD_REQUIRED_CHARACTER_CLASSES = {
+        'uppercase'          => /[A-Z]/,
+        'lowercase'          => /[a-z]/,
+        'digits'             => /[0-9]/,
+        'special_characters' => /[[:ascii:]&&[:graph:]&&[:^alnum:]]/
+    }
+
   DATE_FORMATS = [
         '%Y-%m-%d',
         '%d/%m/%Y',

#14 Updated by Takenori TAKAKI about 1 year ago

Thank you Mr. Maeda.
I change a patch and post it again.
  • Changed definition of 'special_characters' to the code proposed by Mr. Maeda
  • Changed regular expression in validation of special characters. => Almost all special characters within the ASCII range can be used.
  • Shortened constant and label names.
  • On password generation, contain special characters only when special characters are required.
  • Added display of usable characters such as "Change Password" Form.

#15 Updated by Go MAEDA about 1 year ago

  • Target version changed from Candidate for next major release to 4.1.0

LGTM. Setting the target version to 4.1.0.

#16 Updated by Go MAEDA about 1 year ago

This is the screenshot of enforce-password-char-types-v2.patch. Admins can force users to include specified character classes (uppercase, lowercase, digits, or special Characters) in their password. This feature must be welcomed by many admins.

#17 Updated by Go MAEDA about 1 year ago

  • Subject changed from Enforcing Strong Password for Users to Force passwords to contain specified character classes
  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch. Thank you for improving Redmine.

Also available in: Atom PDF