The following items from the password policy should read:

2. inclusion (configurable to force or not) of one or more numerical digits (configurable);
3. inclusion of special characters configuration choice (configurable to force or not);
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Hi,

It doesn't look like this feature has been implemented yet, it would be very useful for us as well to have what Vidal was asking for. Can someone work on this?
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Hi,

I added cracklib support to Redmine. This doesn't address all your concerns with password policy, but at least some of them.

I figure you might find it helpful.

--------------------------------------------------------------------------------
Hi Robert,

I've added your changes to my test redmine and I received an error when I restarted my apache

<pre>
no such file to load -- password (MissingSourceFile)
Exception class:
</pre>

My version of redmine is 1.2.3.

What exactly does your code do? Does it check the length of the password?
--------------------------------------------------------------------------------
I've created a plugin that implements Password Expiry and Lock Unused Account functionality.

_It is alpha quality, so use at your own risk. Further, this is my first plugin, so even alpha is more advanced that it may be :-)_

Would be great to receive pull request on GitHub.

https://github.com/go2null/redmine_account_policy

The intent is to add more functionality to implement User Account rules.

Here's a summary of the current (v2.6.0) status of the asks in the Description.
*Password policy*
# use of both upper- and lower-case letters (case sensitivity);
## Plan to include in plugin
# inclusion of one or more numerical digits;
## Plan to include in plugin
# inclusion of special characters configuration choice;
## Plan to include in plugin
# free of consecutive identical (configurable), all-numeric or all-alphabetic characters;
## Plan to include in plugin
# change passwords at regular intervals (configurable) or based on the number of accesses (configurable); passwords for privileged accounts should be changed more frequently than normal passwords (configurable);
## _change passwords at regular intervals (configurable)_ is implemented in plugin as *Password Expiry*.
# avoid re-using or cycling old passwords (configurable);
## Redmine includes check against last password (i.e., prevent_reuse = 1)
## Plan to include in plugin
# when users are required to maintain their own passwords, they should be provided initially with a secure temporary password;
## Redmine implements this as *Generate password*
# change temporary passwords at the first log-on;
## Redmine implements this as *Must change password at next logon*
# temporary passwords should be given to users in a secure manner; the use of third parties or unprotected (clear text) electronic mail messages should be avoided;
# temporary passwords should be unique to an individual and should not be guessable;
## Redmine implements this as *Generate password*

*Secure logon procedure*
# don't display system or application identifiers until the log-on process has been successfully completed (configurable);
## Already implemented in Redmine
# display a general notice warning that the computer should only be accessed by authorized users (Configurable as a choice and for the message to display);
# don't provide help messages during the log-on procedure that would aid an unauthorized user;
## Already implemented in Redmine
# validate the log-on information only on completion of all input data. If an error condition arises, the system should not indicate which part of the data is correct or incorrect;
## Already implemented in Redmine
# limit the number of unsuccessful log-on attempts allowed, e.g. to three attempts (configurable with 0 = unlimited);
## Plan to include in plugin
# record unsuccessful and successful attempts;
# force a time delay before further log-on attempts are allowed (configurable and exponential);
## Plan to include in plugin
# send an alarm message if the maximum number of log-on attempts is reached (configurable with email addresses);
# display the following information on completion of a successful log-on:
## date and time of the previous successful log-on;
## details of any unsuccessful log-on attempts since the last successful log-on;
# don't display the password being entered or consider hiding the password characters by symbols;
## Already implemented in Redmine
# don't transmit passwords in clear text over a network.

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

relates,New,3096,Lock accounts after X failed attempts
relates,Closed,19458,Add the ability to expire passwords after a configurable number of days
relates,Closed,4221,Force passwords to contain specified character classes
duplicates,Closed,12182,improvement password security for internal authentication