Vote #66014: Force passwords to contain specified character classes - redmineorg-copy202205 - Redmine

編集操作

リンクをコピー

Vote #66014

完了

Force passwords to contain specified character classes

Admin Redmine さんが3年以上前に追加. 3年以上前に更新.

ステータス:

Closed

優先度:

通常

担当者:

カテゴリ:

Accounts / authentication_7

対象バージョン:

4.1.0_127

開始日:

2009/11/16

期日:

進捗率:

予定工数:

Redmineorg_URL:

https://www.redmine.org/issues/4221

category_id:

version_id:

127

issue_org_id:

4221

author_id:

9585

assigned_to_id:

332

comments:

status_id:

tracker_id:

plus1:

affected_version:

closed_on:

affected_version_id:

ステータス-->[Closed]

引用

説明

I would like to enforce strong password for users in redmine. As if now redmine will accept any four letter password. Is there a way that applicaton checks how strong a password is when a new user register in it.

Can we implement any password generator with redmine?

journals

As of r2678, you can specify the minimum password length in settings.
But a minimum password strength setting could be also added (eg. Fair, Strong, Very strong) using kind of password strengh meter.

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Jean-Philippe Lang wrote:
> But a minimum password strength setting could be also added (eg. Fair, Strong, Very strong) using kind of password strengh meter.

I would love to see this!
--------------------------------------------------------------------------------
*1
--------------------------------------------------------------------------------
>Can we implement any password generator with redmine?
* Implemented in "v2.4.0":http://www.redmine.org/versions/70 - Feature #3872 _New user password - better functionality_
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
+1
The new feature implemented in 2.4.0++ referring to Feature #3872 includes a secured password generator.
However, if users may change their password at first login, they may pick "aaaaaaaa" which is far away from being secure. Thus, I also recommend to add a kind of password security check as suggested by jim joseph.
Please reopen ticket.
Thanks a lot!
--------------------------------------------------------------------------------
+1

There are some recent efforts as I can see.

https://github.com/simonswine/redmine_password_tool
https://github.com/go2null/redmine_account_policy

But this should be a core system feature, it is a must for enterprise use.

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
+
If we can enforce password strength, Redmine will be used in environments where some security policy is required.
I post a patch, as I implemented the following features:
* Enable to setting password strength in admin settings
* Enable to selecting the enforce character types (Uppercase, Lowercase, Digits, Special characters).
* Validation for each enforce character types
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
I think the validation in attachment:enforce-password-char-types.patch should cover all ASCII special characters, such as '(', ')', '+', '-', and '_'. The following code does that.

<pre><code class="diff">
diff --git a/app/models/setting.rb b/app/models/setting.rb
index b18f8ed89..4171fa04e 100644
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -19,6 +19,13 @@

class Setting < ActiveRecord::Base

+ PASSWORD_REQUIRED_CHARACTER_CLASSES = {
+ 'uppercase' => /[A-Z]/,
+ 'lowercase' => /[a-z]/,
+ 'digits' => /[0-9]/,
+ 'special_characters' => /[[:ascii:]&&[:graph:]&&[:^alnum:]]/
+ }
+
DATE_FORMATS = [
'%Y-%m-%d',
'%d/%m/%Y',
</code></pre>
--------------------------------------------------------------------------------
Thank you Mr. Maeda.
I change a patch and post it again.
* Changed definition of 'special_characters' to the code proposed by Mr. Maeda
* Changed regular expression in validation of special characters. => Almost all special characters within the ASCII range can be used.
* Shortened constant and label names.
* On password generation, contain special characters only when special characters are required.
* Added display of usable characters such as "Change Password" Form.
--------------------------------------------------------------------------------
LGTM. Setting the target version to 4.1.0.
--------------------------------------------------------------------------------
This is the screenshot of attachment:enforce-password-char-types-v2.patch. Admins can force users to include specified character classes (uppercase, lowercase, digits, or special Characters) in their password. This feature must be welcomed by many admins.

!{width: 753px; border: 1px solid #ccc;}.setting-required-character-classes-for-passwords@2x.png!
--------------------------------------------------------------------------------
Committed the patch. Thank you for improving Redmine.
--------------------------------------------------------------------------------

related_issues

relates,Closed,3872,New user password - better functionality
relates,New,3155,Password policy and secure logon procedure
duplicates,Closed,25054,Enforcing Strong Password in Redmine