[jira] [Created] (OFBIZ-4958) Additional Validation for Password : Make password pattern driven

Sumit Pandit created OFBIZ-4958:
-----------------------------------

             Summary: Additional Validation for Password  : Make password pattern driven
                 Key: OFBIZ-4958
                 URL: https://issues.apache.org/jira/browse/OFBIZ-4958
             Project: OFBiz
          Issue Type: Sub-task
          Components: ALL COMPONENTS
    Affects Versions: SVN trunk
            Reporter: Sumit Pandit
             Fix For: SVN trunk


Providing an additional validation for password  -

Idea is to achieve following -
* Insist user to provide a stronger login password for additional protection.
* User's password need to match a pre-defined Pattern.
* Password pattern can change any time.
* Validation should applied for new user creation and update password processes.

--
Thanks And Regards
Sumit Pandit

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13410194#comment-13410194 ]

Sumit Pandit commented on OFBIZ-4958:
-------------------------------------

*Demo Password pattern requirement - *

* Only contains alphanumeric and the following special characters:!@#$%^&*
* Contains at least 1 of the special characters listed above
* The required special character can appear anywhere in the string (for example: !abc, a!bc, abc!)
* Minimum length 5 digit.

Based on above points; password pattern is as follows -
{code:title=Password Pattern|borderStyle=solid}
^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$
{code}

Above pattern configuration exist in security.properties file so that user can change the pattern as per customize requirement.





               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13412595#comment-13412595 ]

Sumit Pandit commented on OFBIZ-4958:
-------------------------------------

Before submitting the patch, looking for comment on proposal if any.
               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13414025#comment-13414025 ]

Jacques Le Roux commented on OFBIZ-4958:
----------------------------------------

5 chars is really a minimum, for production backend I use passwords lengths > 18 chars with at least a special char. Anyway having a pattern in security.properties sounds like a good idea indeed.
Interesting: http://en.wikipedia.org/wiki/Password_strength#Password_policy

HTH
               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13410194#comment-13410194 ]

Sumit Pandit edited comment on OFBIZ-4958 at 7/17/12 5:26 AM:
--------------------------------------------------------------

*Demo Password pattern requirement - *

* Will contains alphanumeric and the following special characters:!@#$%^&*
* Contains at least 1 of the special characters listed above
* The required special character can appear anywhere in the string (for example: !abc, a!bc, abc!)
* Minimum length 5 characters.

Based on above points; password pattern is as follows -
{code:title=Password Pattern|borderStyle=solid}
^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$
{code}

Above pattern configuration will exist in security.properties file, so that user can change the pattern as per customize requirement.





               
      was (Author: sumitp):
    *Demo Password pattern requirement - *

* Only contains alphanumeric and the following special characters:!@#$%^&*
* Contains at least 1 of the special characters listed above
* The required special character can appear anywhere in the string (for example: !abc, a!bc, abc!)
* Minimum length 5 digit.

Based on above points; password pattern is as follows -
{code:title=Password Pattern|borderStyle=solid}
^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$
{code}

Above pattern configuration exist in security.properties file so that user can change the pattern as per customize requirement.





                 
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

     [ https://issues.apache.org/jira/browse/OFBIZ-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sumit Pandit updated OFBIZ-4958:
--------------------------------

    Attachment: OFBIZ-4958.patch

Thanks Jacques for comments. Please find patch for functionality.

Following is the way how it is implemented :

Bullet points -

* User's password must follow specific pattern. (pattern specified in security.properties file.)
* Password pattern should configurable.
* Display a proper error message if password does not follow the pattern. (error message specified in security.properties file.)
* Error message to display for user should also be configurable.
* Password pattern rules must applied on create/update a password for new/existing user

Currently following rules are applied for password -

* Minimum password length = 5 Char
* Should contain alphanumeric values (Alphabets required, accept numeric but optional)
* Should contain one of following special character : !@#$%^&*

How to test -

* Go to ecommerce and create a new customer. Observe your password; it should follow above pattern.
* Or Go to partymgr and try to create an employee.Observe password; it should follow above pattern.
* Try to update password; Observe it should follow above pattern.
               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13416973#comment-13416973 ]

Sumit Pandit commented on OFBIZ-4958:
-------------------------------------

In case if password pattern not required then it can be disabled in security.properties file via following change :

security.login.password.pattern.enable=false

And by doing so password will not validate with pattern and system behave in default way i.e. password minimum length 5 char.

               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

     [ https://issues.apache.org/jira/browse/OFBIZ-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux reassigned OFBIZ-4958:
--------------------------------------

    Assignee: Jacques Le Roux
   
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13429106#comment-13429106 ]

Scott Gray commented on OFBIZ-4958:
-----------------------------------

Please keep the default to something less restrictive.  I use pass phrases in place of passwords which are easier to remember and arguably more secure (http://en.wikipedia.org/wiki/Passphrase#Compared_to_passwords).  Pass phrases become much harder to remember if you force them to contain numbers or special characters.
               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13429974#comment-13429974 ]

Sumit Pandit commented on OFBIZ-4958:
-------------------------------------

Hi Scott, taking your comments. Rephrasing pattern string to make it less restrictive.


Given patch will provide following capability to system -

* Admin can enable/disable pattern based password capability of system. Configuration will reside in security.properity file.
** To enable : security.login.password.pattern.enable=true
** To disable: security.login.password.pattern.enable=false

* Admin is flexible to provide his pattern string by making pattern more/less restrictive as per system requirement. Configuration will reside in security.properity file.
** To set password pattern string : security.login.password.pattern=^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$
*** Where ^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$ is pattern string.

* Admin can provide custom error message string which will display to end user if wrong password is entered. Configuration will reside in security.properity file.
** To set pattern message : security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(numeric optional) and at-least one of following special characters: !@#$%^&*.


* Recommendation :
Also I think pattern based password policy should disable by default so that admin can enable it as a plug-in.

* Providing patch shortly.

* Please comment if not agree with disabling pattern by-default.



               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13429979#comment-13429979 ]

Scott Gray commented on OFBIZ-4958:
-----------------------------------

Hi Sumit,

I don't mind either way, either disable it by default or make the pattern less restrictive (probably only enforcing a minimum length).  My only input into this issue is that I'd rather not see special characters and/or numbers be required by default.

Thanks
               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

     [ https://issues.apache.org/jira/browse/OFBIZ-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sumit Pandit updated OFBIZ-4958:
--------------------------------

    Attachment: OFBIZ-4958.patch

Hi Scott, thanks for your comment and suggestion. Submitting a new patch by keeping password pattern enabled and making it less restrictive, i.e. minimum length 5 chars. Along with this, for reference purpose more restrictive pattern exist in comments. Please consider the patch in attachment.

Thanks And Regards
Sumit Pandit
               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-4958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13509474#comment-13509474 ]

Leon commented on OFBIZ-4958:
-----------------------------

very nice feature. Is there any conclusion?
               
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira