Task #1573
closed
User attributes not allowed in passwords - check for the delimiters
Added by Alena Peterová about 5 years ago.
Updated about 4 years ago.
Description
Please improve enhanced control for password policy - User attributes not allowed in password.
Now (9.5) we check if the whole username, first name, last name is a substring of the password. If the lastname is e.g. "Nováková-Dvořáková", then passwords containing only "novakova" are valid in IdM. But they are not valid in Active Directory, so when we provision passwords to AD, this creates problems.
On the other hand, if any part of the first name / last name is too short, it should be ignored when checking the password.
Suggested changes:
- The username/firstName/lastName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the username/firstName/lastName is split and all parsed sections (tokens) are confirmed not to be included in the password.
- Tokens that are less than three characters in length are ignored, and substrings of the tokens are not checked.
- For example, the name "Erin M. Hagens" is split into three tokens: "Erin," "M," and "Hagens." Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
(inspired by https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc786468(v=ws.10))
- Target version set to Quartz (9.6.0)
- Estimated time set to 12.00 h
- Target version changed from Quartz (9.6.0) to Rhyolite (9.7.0)
- Target version changed from Rhyolite (9.7.0) to Rhyolite (9.7.3)
- Target version changed from Rhyolite (9.7.3) to Rhyolite (9.7.5)
- Target version changed from Rhyolite (9.7.5) to Rhyolite (9.7.6)
- Target version changed from Rhyolite (9.7.6) to Rhyolite (9.7.7)
- Target version deleted (
Rhyolite (9.7.7))
- Priority changed from Normal to High
This problem occurred again in our environment. We connect AD almost everywhere. Would you please include this requirement in some of the next versions?
- Assignee changed from Ondřej Kopr to Ondrej Husník
- Target version set to 10.2.0
After slack discussion, "attributes that are not allowed in password" will be extended by Titles and Personal Number.
Current validation behavior will be changed to that, mentioned in the task description. No additional activating checkbox is necessary.
- Status changed from New to In Progress
- % Done changed from 0 to 30
- Status changed from In Progress to Needs feedback
- Assignee changed from Ondrej Husník to Radek Tomiška
- % Done changed from 30 to 90
Thank you very much for this task and very nice documentation!
Would you please update the admin part of the documentation in such cases? I.e. https://wiki.czechidm.com/devel/documentation/adm/pwd. This information about password validation is exactly what is interesting for our customers - administrators, business owners - or other consultants. We want to send them links to the admin documentation, not to documentation for IdM developers, which contains a lot of technical implementation details. Thanks!
- Status changed from Needs feedback to Resolved
- Assignee changed from Radek Tomiška to Ondrej Husník
- % Done changed from 90 to 100
- Status changed from Resolved to Closed
Also available in: Atom
PDF
