OFBiz
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-4958

Additional Validation for Password : Make password pattern driven

    Details

    • Type: Sub-task Sub-task
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: Trunk
    • Fix Version/s: Trunk
    • Component/s: ALL COMPONENTS
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      Providing an additional validation for password -

      Idea is to achieve following -

      • Insist user to provide a stronger login password for additional protection.
      • User's password need to match a pre-defined Pattern.
      • Password pattern can change any time.
      • Validation should applied for new user creation and update password processes.


      Thanks And Regards
      Sumit Pandit

      1. OFBIZ-4958.patch
        6 kB
        Sumit Pandit
      2. OFBIZ-4958.patch
        6 kB
        Sumit Pandit

        Activity

        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Patch Available Patch Available
        8d 56m 1 Sumit Pandit 18/Jul/12 10:55
        Patch Available Patch Available Closed Closed
        144d 5h 4m 1 Jacques Le Roux 09/Dec/12 15:00
        Hide
        Jacques Le Roux added a comment -

        BTW I stumbled upon this page from owasp https://www.owasp.org/index.php/Authentication_Cheat_Sheet

        Show
        Jacques Le Roux added a comment - BTW I stumbled upon this page from owasp https://www.owasp.org/index.php/Authentication_Cheat_Sheet
        Hide
        Sumit Pandit added a comment -

        Thanks Jacques.
        Modifying the url in comment.

        Show
        Sumit Pandit added a comment - Thanks Jacques. Modifying the url in comment.
        Hide
        Jacques Le Roux added a comment - - edited

        Just stumbled upon that by change, the url is now https://cwiki.apache.org/confluence/display/OFBIZ/Securing+user+password+-+Make+it+pattern+driven.

        Or also https://cwiki.apache.org/confluence/x/TiPVAQ (the dot at end of the link above is an issue)

        Show
        Jacques Le Roux added a comment - - edited Just stumbled upon that by change, the url is now https://cwiki.apache.org/confluence/display/OFBIZ/Securing+user+password+-+Make+it+pattern+driven . Or also https://cwiki.apache.org/confluence/x/TiPVAQ (the dot at end of the link above is an issue)
        Hide
        Sumit Pandit added a comment - - edited

        Hello Users,
        For detail description, please find the document at following location -
        https://cwiki.apache.org/OFBIZ/securing-user-password-make-it-pattern-driven.html
        https://cwiki.apache.org/confluence/x/TiPVAQ

        Show
        Sumit Pandit added a comment - - edited Hello Users, For detail description, please find the document at following location - https:/ /cwiki.apache.org/OFBIZ/securing-user-password-make-it-pattern-driven.html https://cwiki.apache.org/confluence/x/TiPVAQ
        Hide
        Sumit Pandit added a comment -

        Thanks Jacques, Scott and Leon for your contributions.

        Show
        Sumit Pandit added a comment - Thanks Jacques, Scott and Leon for your contributions.
        Jacques Le Roux made changes -
        Status Patch Available [ 10002 ] Closed [ 6 ]
        Resolution Fixed [ 1 ]
        Hide
        Jacques Le Roux added a comment -

        Thanks Sumit,

        Your slightly modified patch is in trunk at r1418996

        Show
        Jacques Le Roux added a comment - Thanks Sumit, Your slightly modified patch is in trunk at r1418996
        Hide
        Jacques Le Roux added a comment -

        Thanks for reminder Leon,

        I agree it's almost ready to commit. I'm working on an improvement on this solution. Because as is, it does not handle the localisation of the error message which is hardcoded in Englihs in security.login.password.pattern.description property.

        It's easy to do for the OOTB solution (password must me longer than 5 chars) but less when it comes to mix several constraints...

        I think I will commit my "easy" solution and will let people handle the case when they will want to use a more constraining pattern. Then they will have to find therselves a solution for the localisation, if needed...

        Show
        Jacques Le Roux added a comment - Thanks for reminder Leon, I agree it's almost ready to commit. I'm working on an improvement on this solution. Because as is, it does not handle the localisation of the error message which is hardcoded in Englihs in security.login.password.pattern.description property. It's easy to do for the OOTB solution (password must me longer than 5 chars) but less when it comes to mix several constraints... I think I will commit my "easy" solution and will let people handle the case when they will want to use a more constraining pattern. Then they will have to find therselves a solution for the localisation, if needed...
        Hide
        Leon added a comment -

        very nice feature. Is there any conclusion?

        Show
        Leon added a comment - very nice feature. Is there any conclusion?
        Sumit Pandit made changes -
        Attachment OFBIZ-4958.patch [ 12539563 ]
        Hide
        Sumit Pandit added a comment -

        Hi Scott, thanks for your comment and suggestion. Submitting a new patch by keeping password pattern enabled and making it less restrictive, i.e. minimum length 5 chars. Along with this, for reference purpose more restrictive pattern exist in comments. Please consider the patch in attachment.

        Thanks And Regards
        Sumit Pandit

        Show
        Sumit Pandit added a comment - Hi Scott, thanks for your comment and suggestion. Submitting a new patch by keeping password pattern enabled and making it less restrictive, i.e. minimum length 5 chars. Along with this, for reference purpose more restrictive pattern exist in comments. Please consider the patch in attachment. Thanks And Regards Sumit Pandit
        Hide
        Scott Gray added a comment -

        Hi Sumit,

        I don't mind either way, either disable it by default or make the pattern less restrictive (probably only enforcing a minimum length). My only input into this issue is that I'd rather not see special characters and/or numbers be required by default.

        Thanks

        Show
        Scott Gray added a comment - Hi Sumit, I don't mind either way, either disable it by default or make the pattern less restrictive (probably only enforcing a minimum length). My only input into this issue is that I'd rather not see special characters and/or numbers be required by default. Thanks
        Hide
        Sumit Pandit added a comment -

        Hi Scott, taking your comments. Rephrasing pattern string to make it less restrictive.

        Given patch will provide following capability to system -

        • Admin can enable/disable pattern based password capability of system. Configuration will reside in security.properity file.
          • To enable : security.login.password.pattern.enable=true
          • To disable: security.login.password.pattern.enable=false
        • Admin is flexible to provide his pattern string by making pattern more/less restrictive as per system requirement. Configuration will reside in security.properity file.
          • To set password pattern string : security.login.password.pattern=^.*(?=. {5,})(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$
            *** Where ^.*(?=.{5,}

            )(?=.[a-zA-Z])(?=.[!@#$%^&*]).*$ is pattern string.

        • Admin can provide custom error message string which will display to end user if wrong password is entered. Configuration will reside in security.properity file.
          • To set pattern message : security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(numeric optional) and at-least one of following special characters: !@#$%^&*.
        • Recommendation :
          Also I think pattern based password policy should disable by default so that admin can enable it as a plug-in.
        • Providing patch shortly.
        • Please comment if not agree with disabling pattern by-default.
        Show
        Sumit Pandit added a comment - Hi Scott, taking your comments. Rephrasing pattern string to make it less restrictive. Given patch will provide following capability to system - Admin can enable/disable pattern based password capability of system. Configuration will reside in security.properity file. To enable : security.login.password.pattern.enable=true To disable: security.login.password.pattern.enable=false Admin is flexible to provide his pattern string by making pattern more/less restrictive as per system requirement. Configuration will reside in security.properity file. To set password pattern string : security.login.password.pattern=^.*(?=. {5,})(?=. [a-zA-Z] )(?=. [!@#$%^&*] ).*$ *** Where ^.*(?=.{5,} )(?=. [a-zA-Z] )(?=. [!@#$%^&*] ).*$ is pattern string. Admin can provide custom error message string which will display to end user if wrong password is entered. Configuration will reside in security.properity file. To set pattern message : security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(numeric optional) and at-least one of following special characters: !@#$%^&*. Recommendation : Also I think pattern based password policy should disable by default so that admin can enable it as a plug-in. Providing patch shortly. Please comment if not agree with disabling pattern by-default.
        Hide
        Scott Gray added a comment -

        Please keep the default to something less restrictive. I use pass phrases in place of passwords which are easier to remember and arguably more secure (http://en.wikipedia.org/wiki/Passphrase#Compared_to_passwords). Pass phrases become much harder to remember if you force them to contain numbers or special characters.

        Show
        Scott Gray added a comment - Please keep the default to something less restrictive. I use pass phrases in place of passwords which are easier to remember and arguably more secure ( http://en.wikipedia.org/wiki/Passphrase#Compared_to_passwords ). Pass phrases become much harder to remember if you force them to contain numbers or special characters.
        Jacques Le Roux made changes -
        Assignee Jacques Le Roux [ jacques.le.roux ]
        Hide
        Sumit Pandit added a comment -

        In case if password pattern not required then it can be disabled in security.properties file via following change :

        security.login.password.pattern.enable=false

        And by doing so password will not validate with pattern and system behave in default way i.e. password minimum length 5 char.

        Show
        Sumit Pandit added a comment - In case if password pattern not required then it can be disabled in security.properties file via following change : security.login.password.pattern.enable=false And by doing so password will not validate with pattern and system behave in default way i.e. password minimum length 5 char.
        Sumit Pandit made changes -
        Status Open [ 1 ] Patch Available [ 10002 ]
        Sumit Pandit made changes -
        Field Original Value New Value
        Attachment OFBIZ-4958.patch [ 12536969 ]
        Hide
        Sumit Pandit added a comment -

        Thanks Jacques for comments. Please find patch for functionality.

        Following is the way how it is implemented :

        Bullet points -

        • User's password must follow specific pattern. (pattern specified in security.properties file.)
        • Password pattern should configurable.
        • Display a proper error message if password does not follow the pattern. (error message specified in security.properties file.)
        • Error message to display for user should also be configurable.
        • Password pattern rules must applied on create/update a password for new/existing user

        Currently following rules are applied for password -

        • Minimum password length = 5 Char
        • Should contain alphanumeric values (Alphabets required, accept numeric but optional)
        • Should contain one of following special character : !@#$%^&*

        How to test -

        • Go to ecommerce and create a new customer. Observe your password; it should follow above pattern.
        • Or Go to partymgr and try to create an employee.Observe password; it should follow above pattern.
        • Try to update password; Observe it should follow above pattern.
        Show
        Sumit Pandit added a comment - Thanks Jacques for comments. Please find patch for functionality. Following is the way how it is implemented : Bullet points - User's password must follow specific pattern. (pattern specified in security.properties file.) Password pattern should configurable. Display a proper error message if password does not follow the pattern. (error message specified in security.properties file.) Error message to display for user should also be configurable. Password pattern rules must applied on create/update a password for new/existing user Currently following rules are applied for password - Minimum password length = 5 Char Should contain alphanumeric values (Alphabets required, accept numeric but optional) Should contain one of following special character : !@#$%^&* How to test - Go to ecommerce and create a new customer. Observe your password; it should follow above pattern. Or Go to partymgr and try to create an employee.Observe password; it should follow above pattern. Try to update password; Observe it should follow above pattern.
        Hide
        Jacques Le Roux added a comment -

        5 chars is really a minimum, for production backend I use passwords lengths > 18 chars with at least a special char. Anyway having a pattern in security.properties sounds like a good idea indeed.
        Interesting: http://en.wikipedia.org/wiki/Password_strength#Password_policy

        HTH

        Show
        Jacques Le Roux added a comment - 5 chars is really a minimum, for production backend I use passwords lengths > 18 chars with at least a special char. Anyway having a pattern in security.properties sounds like a good idea indeed. Interesting: http://en.wikipedia.org/wiki/Password_strength#Password_policy HTH
        Hide
        Sumit Pandit added a comment -

        Before submitting the patch, looking for comment on proposal if any.

        Show
        Sumit Pandit added a comment - Before submitting the patch, looking for comment on proposal if any.
        Hide
        Sumit Pandit added a comment - - edited

        *Demo Password pattern requirement - *

        • Will contains alphanumeric and the following special characters:!@#$%^&*
        • Contains at least 1 of the special characters listed above
        • The required special character can appear anywhere in the string (for example: Unable to render embedded object: File (abc, a!bc, abc) not found.)
        • Minimum length 5 characters.

        Based on above points; password pattern is as follows -

        Password Pattern
        ^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$
        

        Above pattern configuration will exist in security.properties file, so that user can change the pattern as per customize requirement.

        Show
        Sumit Pandit added a comment - - edited *Demo Password pattern requirement - * Will contains alphanumeric and the following special characters:!@#$%^&* Contains at least 1 of the special characters listed above The required special character can appear anywhere in the string (for example: Unable to render embedded object: File (abc, a!bc, abc) not found. ) Minimum length 5 characters. Based on above points; password pattern is as follows - Password Pattern ^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$ Above pattern configuration will exist in security.properties file, so that user can change the pattern as per customize requirement.
        Sumit Pandit created issue -

          People

          • Assignee:
            Jacques Le Roux
            Reporter:
            Sumit Pandit
          • Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development

                Agile