Hi,
I managed to get the project team I am working with to start using mantis recently, having had good experiences with it in the past. I have now managed to get the to switch from VSS to Subversion for source control (bare with me, point is coming).
To ease user management I have setup Subversion to use MySQL authentication, with the mantis database providing the info.
So far password security has been of little concern, most stuff in mantis would no use to people. However our source code needs more protection.
There will be various protections in place to stop unauthorized access however password security is currently the weak point (most users haven't changed default passwords!).
I would like to add password complexity checking and periodic forced updates. I don't see anything in the mantis code for this, but thought someone may already have created a patch. If not, I will write one myself. Just wondered if this would be of any use to others?
Adam
Security Enhancements
Moderators: Developer, Contributor
No one has contributed patches in this area. However, I thought about this in the past and I would welcome patches. The ideas that I thought about it:
1. Use the password strength checking PHP module when installed.
2. Allow user to set this ON/OFF, and in case of ON we may provide some further rule configuration.
3. Provide a way to protect against the "default" password scenario. For example, force change password on first login, or disable after a certain time window.
If you are going to get started with this, then the best approach would be to create a Wiki page for this and write the requirements. Once we agree on it, you can go ahead with the implementation. This increases the likelihood of the patch making it into Mantis.
Thanks in advance for your contribution.
1. Use the password strength checking PHP module when installed.
2. Allow user to set this ON/OFF, and in case of ON we may provide some further rule configuration.
3. Provide a way to protect against the "default" password scenario. For example, force change password on first login, or disable after a certain time window.
If you are going to get started with this, then the best approach would be to create a Wiki page for this and write the requirements. Once we agree on it, you can go ahead with the implementation. This increases the likelihood of the patch making it into Mantis.
Thanks in advance for your contribution.
Migrate your MantisBT to the MantisHub Cloud
-
adamsutton
- Posts: 3
- Joined: 29 Jun 2007, 15:42
I've had a quick look at some of the requirements pages, I think I can probably manage that. I will try and have a go this weekend, though if not it will probably have to wait to back end of next week.
A quick question about the password checking module you talked about, wher can I find info? I saw some stuff in the crack library functions, but they seem limited. I've also seen a couple of simple password checking functions. But if there is something more universally recognised, then I will take a look at that.
Adam
A quick question about the password checking module you talked about, wher can I find info? I saw some stuff in the crack library functions, but they seem limited. I've also seen a couple of simple password checking functions. But if there is something more universally recognised, then I will take a look at that.
Adam
The crack library is what I was referring to. You can easily implement some of the following checks yourself:
1. Minimum Length
2. Upper/Lower/Number/Symbols combinations
3. No re-use of password within history (requires password history storage).
4. Not the same as user name.
However, there are more involved checks like:
1. Dictionary word
2. Based on a dictionary word.
What we can do is implement the simple ones, and if the crack module is available then we can make use of it to do stuff like dictionary checks, etc. Another option is to do the dictionary check ourselves but that will require shipping a dictionary from Open Office or a similar project.
You might also want to research if there are libraries that provide such functionality or ones implemented as part of other PHP GPL projects.
1. Minimum Length
2. Upper/Lower/Number/Symbols combinations
3. No re-use of password within history (requires password history storage).
4. Not the same as user name.
However, there are more involved checks like:
1. Dictionary word
2. Based on a dictionary word.
What we can do is implement the simple ones, and if the crack module is available then we can make use of it to do stuff like dictionary checks, etc. Another option is to do the dictionary check ourselves but that will require shipping a dictionary from Open Office or a similar project.
You might also want to research if there are libraries that provide such functionality or ones implemented as part of other PHP GPL projects.
Migrate your MantisBT to the MantisHub Cloud
-
adamsutton
- Posts: 3
- Joined: 29 Jun 2007, 15:42
I see you have uploaded my requirements spec, thanks for that. I will probably try to refine it later this week.
I intend to work on a fairly basic implementation this week. Ideally I need to get something up and running towards the end of the week so that is in place to stop users having weak passwords when I start to use the mantis user table as the source for authentication information on our subversion repository.
I think I will begin by implementing the password strength checking and history. I've looked at http://www.alixaxel.com/wordpress/wp-co ... ength.phps which seems to do a fairly good job at estimating password strength.
I will let you know how I get on.
I intend to work on a fairly basic implementation this week. Ideally I need to get something up and running towards the end of the week so that is in place to stop users having weak passwords when I start to use the mantis user table as the source for authentication information on our subversion repository.
I think I will begin by implementing the password strength checking and history. I've looked at http://www.alixaxel.com/wordpress/wp-co ... ength.phps which seems to do a fairly good job at estimating password strength.
I will let you know how I get on.
Re: Security Enhancements
Hi,
have implemented a process where some basic constraints for a password are defined. Also there is now the possibility to use a override function to check for the complexity of the password if desired. Haven't found any suitable bug to attach it to so I'm attaching it here. It is a diff against the current 1.2.x
Thanks for your hard work,
bartik
have implemented a process where some basic constraints for a password are defined. Also there is now the possibility to use a override function to check for the complexity of the password if desired. Haven't found any suitable bug to attach it to so I'm attaching it here. It is a diff against the current 1.2.x
Thanks for your hard work,
bartik
Re: Security Enhancements
I have made some progress on integrating the crack library but get lost in compiling it to such format that it is readable by the php_crack.dll
Where can I find precompiled ones or even better, is there a tool that i can use under Windows to compile it myself?
Where can I find precompiled ones or even better, is there a tool that i can use under Windows to compile it myself?