View Issue Details

IDProjectCategoryView StatusLast Update
14636Feature requests[All Projects] Securitypublic2019-04-15 20:05
ReporterDenisChenu Assigned Toc_schmitz  
PrioritynoneSeverityfeature 
Status assignedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary14636: Admin password restriction
Description

It can be great to have an admin password restriction (or a plugin event for this (if it's already here : OK, i do the core plugin))

Additional Information

Default take from config.php
Restricted super admin have a screen to update

Taken from nextcloud :

  • Minimum size
  • Prohibit current passwords
  • Imposing uppercase and lowercase characters
  • Imposing numbers
  • Imposing special characters
  • Check the password against the list of violated passwords on haveibeenpwnd. com (maybe not this one).

config-default.php can be min size to 8 for starting

TagsNo tags attached.

Relationships

has duplicate 14736 closedDenisChenu Bug reports Missing password policy 

Activities

DenisChenu

DenisChenu

2019-04-04 07:58

developer   ~51334

OK in 4.0 ? Or did you already have a plugin for this ?

Mazi

Mazi

2019-04-05 08:54

partner   ~51359

DenisChenu, are you thinking of e.g. a new global setting at which superadmins can define the minimum password requirements by using the list you added above? That would be pretty useful.
I guess there are proper regex for checking the password requirements outlined above?

DenisChenu

DenisChenu

2019-04-05 08:57

developer   ~51362

Last edited: 2019-04-05 08:58

View 2 revisions

Yes, in admin GUI.
Maybe on a core plugin activated by default ;)

I can do it for 4.0, i just wait …

blocka

blocka

2019-04-12 22:06

reporter   ~51462

I have code to enforce minimum password strength for Version 3.17.0+190402 see: https://bugs.limesurvey.org/view.php?id=9599
I will share the code update the above issue report by Monday next week.

blocka

blocka

2019-04-13 05:11

reporter   ~51463

I have made modifications to the LS 3.x core to enforce password strength when an admin is editing a user account, or when a user edits their own password settings.

My solution doesn't use the gettranslation feature as I only required my solution to be in English. If this ends up in core, of course, texts should be translated.

The changes were made against build Version 3.17.0+190402, and involved the files:

\application\controllers\admin\useraction.php
\application\models\User.php
\application\views\admin\user\modifyuser.php
\application\views\admin\user\personalsettings.php

Password criteria can be specified via the config.php, using this format (min and mix refer to required length of the password, upper refers to uppercase, numeric is obvious, as is symbol.

// Update default LimeSurvey config here
),

    'params' => array(
    'passwordValidator' => array(
    'min' => 10,
    'max' => 22,
    'upper' => 3,
    'numeric' => 1,
    'symbol' => 2,
    ),
),

);
/ End of file config.php /



application.zip (20,280 bytes)
ollehar

ollehar

2019-04-15 18:02

administrator   ~51472

Can you make a PR on github, please?

blocka

blocka

2019-04-15 20:05

reporter   ~51473

PR created:
https://github.com/LimeSurvey/LimeSurvey/pull/1264

Issue History

Date Modified Username Field Change
2019-03-12 15:22 DenisChenu New Issue
2019-04-04 07:57 DenisChenu Relationship added has duplicate 14736
2019-04-04 07:58 DenisChenu Assigned To => c_schmitz
2019-04-04 07:58 DenisChenu Status new => feedback
2019-04-04 07:58 DenisChenu Note Added: 51334
2019-04-05 08:54 Mazi Note Added: 51359
2019-04-05 08:57 DenisChenu Note Added: 51362
2019-04-05 08:57 DenisChenu Status feedback => assigned
2019-04-05 08:58 DenisChenu Note Edited: 51362 View Revisions
2019-04-12 22:06 blocka Note Added: 51462
2019-04-13 05:11 blocka File Added: application.zip
2019-04-13 05:11 blocka Note Added: 51463
2019-04-15 18:02 ollehar Note Added: 51472
2019-04-15 20:05 blocka Note Added: 51473