[MAGNOLIA-6980] Security Password Policies: Standard "Password Policies" needed in Magnolia (password expiration etc.) Created: 15/Mar/17  Updated: 24/May/23

Status: Open
Project: Magnolia
Component/s: security
Affects Version/s: 5.5.2
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Christian Ringele Assignee: Unassigned
Resolution: Unresolved Votes: 5
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
is cloned by MGNLPUR-196 Credentials expiring functionality Closed
Relates
causality
dependency
is depended upon by MGNLUI-2709 New password on login Open
is depended upon by MGNLUI-3501 Add possibility to force users to cha... Selected
relation
is related to MGNLUI-4267 Minimum length setting for password f... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:
Visible to:
Joseph Kamwena
Team: AdminX

 Description   

Magnolia provides only one single "Password Policy":

  • Max number of failed attempts.

The possible "Password Policies" should be extended to default possibilities/functionality almost every System offers (even not Enterprise):

  • Force change password on first login
  • Force change of password for a specific user
  • Force password strength and mandatory character usages
  • Force expiration time of all passwords
  • Force expiration time of a specific user
  • Force expiring all passwords now (everybody has to reset it now/next login)

Maybe also:

  • A central place to define password strengths, best per user realm (so different for public users).
    A PUR based login form won't know about any regexp based validator on the password form field.

Especially in combination with the PUR module and different types of users (Public Users) such functionality is very important. Public users are in most cases not managed over AD, where some of this behavior could be delegated to.



 Comments   
Comment by Sarang Khapli [ 30/Mar/17 ]

any roadmap for this bug fix release ?

Comment by Richard Gange [ 04/Aug/17 ]

I think we should also have a min length setting as well. MGNLUI-4267

Comment by Christopher Zimmermann [ 15/Jan/19 ]

It would also be good to support forgotten password emails.

Comment by Marc Johnen [ 29/Jan/19 ]

Common password policy requirements are also:

  • don't allow the last X passwords to be used again
  • force pattern like at least one special char, one uppercase letter ...
  • Force change password on expiration
Comment by Steven Young [ 03/Oct/19 ]

When "Force expiration time of all passwords" feature planned to release in Magnolia, let us know version/release date for this.

Comment by Jürgen Ulrich [ 20/Jan/20 ]

Are there any news about this ticket, if and when this feature is available?

Thanks and best
Jürgen

Comment by Richard Gange [ 06/May/20 ]

We are looking into it. Let me mention the workaround ideas for this. Typically 3rd party user managers have these different kind of features already integrated. LDAP, AD even Google login is supported now.
See:

Comment by Marc Johnen [ 06/May/20 ]

It should be easy enough with something like passay https://www.baeldung.com/java-passay.

Generated at Mon Feb 12 04:19:37 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.