Enforcing a password security policy

[cedricbonhomme]

Abstract

Provide a way to enforce a password security policy in MONARC Front Offices (and the back office).

Motivation

The main motivation is to give the possibility to organizations to enforce their password
policy in the MONARC software.

Proposed Resolution

Criteria of password security policy:

• minimum size of a password: integer;
• complexity of a password (i.e. specific characters, etc.): can be expressed with a regular expression;
• validity period of the password: number of days.

Checking for password reuse (only with the last password) might be directly implemented in the code,
without configurations possibility.

As an example:

password_policy = {
 size: [20-100],
 regex: "^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\da-zA-Z])$",
 validity_period: 60,
}

(of course the size can be specified in the regular expression)

The policy could also be defined in a yaml file (see why later).

How to store this definition and deploy it ? Knowing that it should be possible to deploy a policy to several MONARC
clients connected to the same back office.

Ansible could load the security policy and update accordingly the local configuration file of each clients (/var/www/<client-name>/local.php).
An advantage is that regular checks can be processed by ansible.

It would be also possible to have a specific policy for a client. Not necessary all clients related to a
back office must implement the same policy.

An administrator of a MONARC instance won't be able to override an enforced policy, because
the policy is initially defined in the configuration server and deployed by ansible.

For a Front Office not associated to a back office, we can of course use the file config/autoload/local.php.

Monitoring the changes for a client Admin

[KonzeptAcht]

Hey @cedricbonhomme

It would be useful if the expiration date for passwords could be disabled as well (for example with the value 0). As studies show, complex passwords that are not subject to regular change can improve information security by increasing acceptance among employees. It would be useful if the expiration date for passwords could be disabled as well (for example with the value 0). As studies show, complex passwords that are not subject to regular change can improve information security by increasing acceptance among employees.

thanks for the great work

[cedricbonhomme]

Sure, I agree (even if on my side it is now years since I "forgot" most of my passwords ;-)

It will be a configurable password security policy. So no specific configurations would mean nothing enforced. Or as you proposed a value of 0 for the validity period, for example.

Have fun

[KonzeptAcht]

An option to force the password change after first login would also be helpful.

I didn't know if I should make an extra feature request for this or if you want to edit it here directly.