Security enhancements
(CORE-283)
|
|
| Status: | Resolved |
| Project: | i2b2 Core Software |
| Component/s: | CRC Cell, PM Cell |
| Affects Version/s: | 1.7.10 |
| Fix Version/s: | 1.7.10 |
| Type: | Sub-Task | Priority: | Major |
| Reporter: | Janice Donahoe | Assignee: | Janice Donahoe |
| Resolution: | Done | Votes: | 0 |
| Labels: | wikirelease | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Rank: | 0|hzzzyz: | ||||||||
| Sprint: | v1710.1 | ||||||||
| Affects Database/s: |
All databases
|
||||||||
| Participant/s: | |||||||||
| Description |
|
*** Part of the security enhancements update ***
Passwords must meet complexity requirements defined by the i2b2 Administrator. The requirements will be enforced when users change their passwords. A new error message will display if users do not meet the requirements when entering their new password. NEW PARAMETER A new Global Parameter was created to support the Enforce Complex Passwords feature. The new parameter is set within PM_GLOBAL_PARAMS table and will define the password complexity requirements. Once the parameter has been entered the feature will be turned on and all users will be required to follow the new requirements the next time they change their password. The only exception is when the password is set by the i2b2 Administrator from within the i2b2 Admin Module. Parameter Name: PM_COMPLEX_PASSWORD Parameter Value: [string of requirement variables] Parameter Data Type: Text COMPLEX REQUIREMENT VARIABLES When setting the parameter value for PM_COMPLEX_PASSWORD, each requirement is defined as an independent variable that is stored as a string in the VALUE column of the PM_GLOBAL_PARAMS table. Below are a list of the variables and the associated requirement that will be enforced. VARIABLES REQUIREMENT (?=.*[0-9]) Numbers (0-9) (?=.*[a-z]) Lower case letters (a-z) (?=.*[A-Z]) Upper case letters (A-Z) (?=.*[)(;:}{,.><!@#$%^&+=]) Special characters ()(;:}{,.><!@#$%^&+=) (?=\S+$).{8,} Password is a string and must be 8 characters The (?=\S+$).{8,} variable is always required when setting the PM_COMPLEX_PASSWORD parameter. The system needs to know that password is a string and the length of password. You do have the option to change the length to be greater or lesser than 8 characters. NEW ERROR MESSAGE The following error message will display if the user's new password doesn't meet the requirements. Password Requirements Be at least 8 characters Must contain - upper case letters (A-Z) - lower case letters (a-z) - numbers (0-9) - special character (,.!@()}{#$%^&+=) Must NOT contain - spaces - start or end with a special character |
| Comments |
| Comment by Janice Donahoe [ 01/Feb/18 ] |
| Complex passwords are required when a user enters a new password. Administrators are not required to enter complex passwords. This issue is blocked from testing until the problems with expired passwords have been resolved. |
| Comment by Janice Donahoe [ 17/Apr/18 ] |
| Tested and verified it is is working as designed. This feature will be included in the 1.7.10 release. |
[CORE-288]