Security enhancements (CORE-283)

[CORE-288] Enforce complex passwords Created: 24/Jan/18  Updated: 25/Apr/18  Resolved: 17/Apr/18

Status: Resolved
Project: i2b2 Core Software
Component/s: CRC Cell, PM Cell
Affects Version/s: 1.7.10
Fix Version/s: 1.7.10

Type: Sub-Task Priority: Major
Reporter: Janice Donahoe Assignee: Janice Donahoe
Resolution: Done Votes: 0
Labels: wikirelease
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
blocks CORE-289 Mandatory password change Resolved
Rank: 0|hzzzyz:
Sprint: v1710.1
Affects Database/s:
All databases

*** Part of the security enhancements update ***

Passwords must meet complexity requirements defined by the i2b2 Administrator. The requirements will be enforced when users change their passwords. A new error message will display if users do not meet the requirements when entering their new password.


A new Global Parameter was created to support the Enforce Complex Passwords feature. The new parameter is set within PM_GLOBAL_PARAMS table and will define the password complexity requirements. Once the parameter has been entered the feature will be turned on and all users will be required to follow the new requirements the next time they change their password. The only exception is when the password is set by the i2b2 Administrator from within the i2b2 Admin Module.

                             Parameter Name: PM_COMPLEX_PASSWORD
                             Parameter Value: [string of requirement variables]
                             Parameter Data Type: Text


When setting the parameter value for PM_COMPLEX_PASSWORD, each requirement is defined as an independent variable that is stored as a string in the VALUE column of the PM_GLOBAL_PARAMS table. Below are a list of the variables and the associated requirement that will be enforced.

          (?=.*[0-9]) Numbers (0-9)
          (?=.*[a-z]) Lower case letters (a-z)
          (?=.*[A-Z]) Upper case letters (A-Z)
          (?=.*[)(;:}{,.><!@#$%^&+=]) Special characters ()(;:}{,.><!@#$%^&+=)
          (?=\S+$).{8,} Password is a string and must be 8 characters

The (?=\S+$).{8,} variable is always required when setting the PM_COMPLEX_PASSWORD parameter. The system needs to know that password is a string and the length of password. You do have the option to change the length to be greater or lesser than 8 characters.


The following error message will display if the user's new password doesn't meet the requirements.

             Password Requirements
                  Be at least 8 characters

                  Must contain
                        - upper case letters (A-Z)
                        - lower case letters (a-z)
                        - numbers (0-9)
                        - special character (,.!@()}{#$%^&+=)
                  Must NOT contain
                        - spaces
                        - start or end with a special character

Comment by Janice Donahoe [ 01/Feb/18 ]
Complex passwords are required when a user enters a new password. Administrators are not required to enter complex passwords. This issue is blocked from testing until the problems with expired passwords have been resolved.
Comment by Janice Donahoe [ 17/Apr/18 ]
Tested and verified it is is working as designed. This feature will be included in the 1.7.10 release.
Generated at Sun Apr 05 16:27:27 UTC 2020 using JIRA 7.6.3#76005-sha1:8a4e38d34af948780dbf52044e7aafb13a7cae58.