Project

General

Profile

Actions

Task #1573

closed

User attributes not allowed in passwords - check for the delimiters

Added by Alena Peterová about 5 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
High
Assignee:
Ondrej Husník
Category:
Password policy
Target version:
Start date:
03/25/2019
Due date:
% Done:

100%

Estimated time:
12.00 h
Owner:

Description

Please improve enhanced control for password policy - User attributes not allowed in password.

Now (9.5) we check if the whole username, first name, last name is a substring of the password. If the lastname is e.g. "Nováková-Dvořáková", then passwords containing only "novakova" are valid in IdM. But they are not valid in Active Directory, so when we provision passwords to AD, this creates problems.
On the other hand, if any part of the first name / last name is too short, it should be ignored when checking the password.

Suggested changes:
  • The username/firstName/lastName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the username/firstName/lastName is split and all parsed sections (tokens) are confirmed not to be included in the password.
  • Tokens that are less than three characters in length are ignored, and substrings of the tokens are not checked.
  • For example, the name "Erin M. Hagens" is split into three tokens: "Erin," "M," and "Hagens." Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.

(inspired by https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc786468(v=ws.10))

Actions #2

Updated by Vít Švanda almost 5 years ago

  • Target version set to Quartz (9.6.0)
Actions #3

Updated by Vít Švanda almost 5 years ago

  • Estimated time set to 12.00 h
Actions #4

Updated by Vít Švanda almost 5 years ago

  • Target version changed from Quartz (9.6.0) to Rhyolite (9.7.0)
Actions #5

Updated by Vít Švanda over 4 years ago

  • Target version changed from Rhyolite (9.7.0) to Rhyolite (9.7.3)
Actions #6

Updated by Vít Švanda over 4 years ago

  • Target version changed from Rhyolite (9.7.3) to Rhyolite (9.7.5)
Actions #7

Updated by Vít Švanda over 4 years ago

  • Target version changed from Rhyolite (9.7.5) to Rhyolite (9.7.6)
Actions #8

Updated by Ondřej Kopr over 4 years ago

  • Target version changed from Rhyolite (9.7.6) to Rhyolite (9.7.7)
Actions #9

Updated by Radek Tomiška over 4 years ago

  • Target version deleted (Rhyolite (9.7.7))
Actions #10

Updated by Alena Peterová about 4 years ago

  • Priority changed from Normal to High

This problem occurred again in our environment. We connect AD almost everywhere. Would you please include this requirement in some of the next versions?

Actions #11

Updated by Radek Tomiška about 4 years ago

  • Assignee changed from Ondřej Kopr to Ondrej Husník
  • Target version set to 10.2.0
Actions #12

Updated by Ondrej Husník about 4 years ago

After slack discussion, "attributes that are not allowed in password" will be extended by Titles and Personal Number.
Current validation behavior will be changed to that, mentioned in the task description. No additional activating checkbox is necessary.

Actions #13

Updated by Ondrej Husník about 4 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 30
Actions #14

Updated by Ondrej Husník about 4 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondrej Husník to Radek Tomiška
  • % Done changed from 30 to 90

This task slightly changes approach to password validation when advanced control is enabled and * User attributes not allowed in password * are selected. Personal number and tiles before/after name were newly added as checked attributes and validation algorithm takes into account composed values e.g. novak-novotny in last name. Details are in created documentation.

https://wiki.czechidm.com/devel/documentation/security/dev/password-policies

Please provide me a feedback of this task. Thank you.

https://github.com/bcvsolutions/CzechIdMng/pull/95/commits/43d08d24e1771921d9dd8a1bbf2197f42e2af2d4

Actions #15

Updated by Alena Peterová about 4 years ago

Thank you very much for this task and very nice documentation!

Would you please update the admin part of the documentation in such cases? I.e. https://wiki.czechidm.com/devel/documentation/adm/pwd. This information about password validation is exactly what is interesting for our customers - administrators, business owners - or other consultants. We want to send them links to the admin documentation, not to documentation for IdM developers, which contains a lot of technical implementation details. Thanks!

Actions #16

Updated by Radek Tomiška almost 4 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Radek Tomiška to Ondrej Husník
  • % Done changed from 90 to 100

I did test and code review, it works and code is nice, thx!

I merged it into develop with two little changes: we are avoiding to use abbreviations in code (PERSONALNUM => EXTERNALCODE) and fix cs locale (duplicate sentes in attributes list).
https://github.com/bcvsolutions/CzechIdMng/commit/1ceec439ee9cb2477533ddd83f73e1b4fc8fe33c

Actions #17

Updated by Radek Tomiška almost 4 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF