Enforce password length and complexity

Discussion forum about Anuko Time Tracker
Post Reply
imcg
Posts: 4
Joined: Tue Apr 10, 2018 8:31 am

Enforce password length and complexity

Post by imcg » Tue Apr 10, 2018 9:23 am

Hi!

I've recently found Anuko and I like it very much. Congratulations on this nice tool! :)

I'd like to use Anuko with my employer, but I need to comply with new European Regulations. One of the requirements is enforcing password length and complexity.

I've looked at the code and prepared a set of changes which give an option to enforce password length and complexity. I'd be happy to share these changes and introduce them into Anuko project. Please let me know if this functionality would be useful for Anuko project, and if yes, how can we proceed.

admin
Posts: 546
Joined: Fri Oct 08, 2004 9:46 pm
Location: Vancouver, Canada
Contact:

Re: Enforce password length and complexity

Post by admin » Tue Apr 10, 2018 9:49 am

imcg wrote:Hi!

I've recently found Anuko and I like it very much. Congratulations on this nice tool! :)

I'd like to use Anuko with my employer, but I need to comply with new European Regulations. One of the requirements is enforcing password length and complexity.

I've looked at the code and prepared a set of changes which give an option to enforce password length and complexity. I'd be happy to share these changes and introduce them into Anuko project. Please let me know if this functionality would be useful for Anuko project, and if yes, how can we proceed.
The feature makes sense. Make it configurable on group level (do not enforce upon all groups who do not need to comply). Perhaps it is best to discuss design of this feature first before submitting a pull request. How exactly does one configure password complexity requirement?

imcg
Posts: 4
Joined: Tue Apr 10, 2018 8:31 am

Re: Enforce password length and complexity

Post by imcg » Tue Apr 10, 2018 10:43 am

My bad - I took the easy path and assumed this would be applied to all groups. This way I didn't have to introduce any changes into database, just add several global parameters in config.php and do minimal code changes.

I agree that it's more flexible to make it configurable on group level, so my ideas would be:
  • add password policy columns to tt_teams, or add new table, for example tt_teams_password_policy - these would hold password policies for each team
  • introduce password policy fields into form group_edit.php and group_edit.tpl. Or make it a new module/plugin, same way as Monthly quotas, etc.
  • whenever user password is changed, check if team has enabled password_policy, and if yes, check if new password complies with password_policy. I found four places in code, where password is being changed/set - please correct me if I missed anything:
    • password_change.php
    • profile_edit.php
    • user_add.php
    • user_edit.php
Password complexity requirements could be defined by these parameters:
  • minimum password length
  • minimum number of digits
  • minimum number of lower case letters
  • minimum number of upper case letters
  • minimum number of special characters (anything other than digits and upper/lower case

wrc
Posts: 251
Joined: Tue May 25, 2010 8:30 pm

Re: Enforce password length and complexity

Post by wrc » Tue Apr 10, 2018 1:24 pm

How about keeping things simple.

Add ONE field to the Group settings called: "Password complexity". If the field is null, the policy is not enforced. If the field contains an EXAMPLE password, then the code will calculate all it needs from the example, specifically:

- Minimum password length.
- Minimum number of caps.
- Minimum number of digits
- Minimum number of special characters.

Password example: examplePassword12* - means 18 characters min length, at least one cap, at least 2 numbers, and at least 1 special character.

This way you only need one additional field in tt_groups (password_complexity) and don't over-complicate the UI for users who don't need this.

Will this work?

imcg
Posts: 4
Joined: Tue Apr 10, 2018 8:31 am

Re: Enforce password length and complexity

Post by imcg » Tue Apr 10, 2018 1:50 pm

Thanks wrc, I like your idea very much. This will help over-complicating the UI, as you've noted, and also we'd need just one additional field in the database.

I assume that we'd need to add the "What is it?" description to this field in the UI, to explain it's usage.

Nik
Posts: 440
Joined: Wed May 26, 2010 5:55 pm

Re: Enforce password length and complexity

Post by Nik » Tue Apr 10, 2018 3:53 pm

I introduced password_complexity field in tt_groups table in Time Tracker 1.17.87.4246

Code: Select all

`password_complexity` varchar(64) default NULL,        # password example that defines required complexity
The link to What is it? from the Group Settings page should be https://www.anuko.com/lp/tt_22.htm

I hope it helps.

imcg
Posts: 4
Joined: Tue Apr 10, 2018 8:31 am

Re: Enforce password length and complexity

Post by imcg » Wed Apr 11, 2018 12:44 pm

Thank you, this will help getting started.

Post Reply