This is a very "large" ticket. We need to split these into different tickets for someone to pick up at Introductory level. Do we have any idea how would we like to implement this? For instance: Will the configuration go into a Database table? Where will the configuration screen be? Can we start by not allowing this to be configurable, but hardcoding some rules, and later making them configurable. For instance:
Make password Length: Min 8 characters, with one special char, and one number mandatory. Password to be reset every: 4 months (although this feature is usually debatable as it can make people use weak easy-to-remember/guess passwords) Read the pros/cons here: http://en.wikipedia.org/wiki/Password_policy. This feature should be "switch-off/on" system wide. Not allow user to use any of the last 3 passwords.
PASSWORD STRENGTH: We should also consider adding a "Strength" indicator, and maybe reject passwords that are too weak. This could be a separate JIRA item itself. We could refer to: http://www.passwordmeter.com/ (Has a _javascript_ that can be used maybe under GPL. Need to try). Or use the simpler: http://www.paulund.co.uk/password-strength-indicator-jquery
Alternatively, the backend can have java based strength checker, which the UI can call via AJAX. See: http://stackoverflow.com/questions/3200292/password-strength-checking-library https://code.google.com/p/vt-middleware/wiki/vtpassword
Expire the user session if its not used – is different from Password policy, and should be a different JIRA ticket I think. Can be set to 15 minutes, but needs to be configurable.
|