Differences

This shows you the differences between two versions of the page.

--- mantisbt:password_security [2007/06/30 17:35] – created vboctor
+++ mantisbt:password_security [2011/11/16 07:40] (current) – The page rendering was broken (maybe since new PHP version on mantisbt.org). Added new line to fix it at end of file. atrol
@@ Line 1: / Line 1: @@
+====== Password Security ======
+**Author:** Adam Sutton
+===== Introduction =====
+Mantis currently lacks support for advanced password security features
+commonly employed by security concious applications / organisations. These
+features are important when the database contains sensitive information
+and users may be inclined to use weak passwords.
+The features that would be required are:
+   * Password strength checking / enforcement
+   * Password periodic changing
+   * Password history
+===== Database Changes =====
+   * Add a password history table.
+   * [Optional] Add a password_updated field to the user table. This is duplication of information, though could simplify integration tasks and implementation where password history is not required.
+===== Configuration Changes =====
+   * Add a configuration option for the password strength threshold
+   * Add a configuration option for the password usage period (eg how often it must be changed)
+   * Add a configuration option for the size of the password history
+===== General Changes =====
+   * Support password strength checking on password update page.
+   * Support password history checking on password update page.
+   * Support password expiration checking as part of authentication process.
+===== Reminders =====
+===== Feedback =====
+Please add your comments and feedback in this section.
+   * I'm not currently sure how password expiration should be handled. I can think of 2 possible options. 1) Provide screen to allow user to update their password. 2) Automatically send user new password by email (if supported by config).