Password Security

Author: Adam Sutton

Mantis currently lacks support for advanced password security features commonly employed by security concious applications / organisations. These features are important when the database contains sensitive information and users may be inclined to use weak passwords. The features that would be required are:

• Password strength checking / enforcement
• Password periodic changing
• Password history

• Add a password history table.
• [Optional] Add a password_updated field to the user table. This is duplication of information, though could simplify integration tasks and implementation where password history is not required.

• Add a configuration option for the password strength threshold
• Add a configuration option for the password usage period (eg how often it must be changed)
• Add a configuration option for the size of the password history

• Support password strength checking on password update page.
• Support password history checking on password update page.
• Support password expiration checking as part of authentication process.

Please add your comments and feedback in this section.

• I’m not currently sure how password expiration should be handled. I can think of 2 possible options. 1) Provide screen to allow user to update their password. 2) Automatically send user new password by email (if supported by config).