====== Password Security ======

**Author:** Adam Sutton

===== Introduction =====

Mantis currently lacks support for advanced password security features
commonly employed by security concious applications / organisations. These
features are important when the database contains sensitive information
and users may be inclined to use weak passwords.
The features that would be required are:

   * Password strength checking / enforcement
   * Password periodic changing
   * Password history

===== Database Changes =====

   * Add a password history table.
   * [Optional] Add a password_updated field to the user table. This is duplication of information, though could simplify integration tasks and implementation where password history is not required.

===== Configuration Changes =====

   * Add a configuration option for the password strength threshold
   * Add a configuration option for the password usage period (eg how often it must be changed)
   * Add a configuration option for the size of the password history

===== General Changes =====

   * Support password strength checking on password update page.
   * Support password history checking on password update page.
   * Support password expiration checking as part of authentication process.

===== Reminders =====


===== Feedback =====

Please add your comments and feedback in this section.

   * I'm not currently sure how password expiration should be handled. I can think of 2 possible options. 1) Provide screen to allow user to update their password. 2) Automatically send user new password by email (if supported by config).