User Tools

  • Logged in as: anonymous (anonymous)
  • Log Out

Site Tools


mantisbt:password_security

Password Security

Author: Adam Sutton

Introduction

Mantis currently lacks support for advanced password security features commonly employed by security concious applications / organisations. These features are important when the database contains sensitive information and users may be inclined to use weak passwords. The features that would be required are:

  • Password strength checking / enforcement
  • Password periodic changing
  • Password history

Database Changes

  • Add a password history table.
  • [Optional] Add a password_updated field to the user table. This is duplication of information, though could simplify integration tasks and implementation where password history is not required.

Configuration Changes

  • Add a configuration option for the password strength threshold
  • Add a configuration option for the password usage period (eg how often it must be changed)
  • Add a configuration option for the size of the password history

General Changes

  • Support password strength checking on password update page.
  • Support password history checking on password update page.
  • Support password expiration checking as part of authentication process.

Reminders

Feedback

Please add your comments and feedback in this section.

  • I'm not currently sure how password expiration should be handled. I can think of 2 possible options. 1) Provide screen to allow user to update their password. 2) Automatically send user new password by email (if supported by config).
mantisbt/password_security.txt · Last modified: 2011/11/16 07:40 by atrol