Security Token did not match. Possible CSRF attack.
mantisbt:password_security
Table of Contents
Password Security
Author: Adam Sutton
Introduction
Mantis currently lacks support for advanced password security features commonly employed by security concious applications / organisations. These features are important when the database contains sensitive information and users may be inclined to use weak passwords. The features that would be required are:
- Password strength checking / enforcement
- Password periodic changing
- Password history
Database Changes
- Add a password history table.
- [Optional] Add a password_updated field to the user table. This is duplication of information, though could simplify integration tasks and implementation where password history is not required.
Configuration Changes
- Add a configuration option for the password strength threshold
- Add a configuration option for the password usage period (eg how often it must be changed)
- Add a configuration option for the size of the password history
General Changes
- Support password strength checking on password update page.
- Support password history checking on password update page.
- Support password expiration checking as part of authentication process.
Reminders
Feedback
Please add your comments and feedback in this section.
- I'm not currently sure how password expiration should be handled. I can think of 2 possible options. 1) Provide screen to allow user to update their password. 2) Automatically send user new password by email (if supported by config).
mantisbt/password_security.txt · Last modified: 2011/11/16 07:40 by atrol