On Monday 03 December 2007 17:25, xavier dutoit wrote: > Oops, about your spec: > > "When the password expires, the system MUST NOT accept it for logging > in. However, the > system MUST accept the old password as validation when entering the > new password." > > Not the right way. Should be : > "When the password expires, the system MUST accept it for logging in > BUT only to display a page 'Password expired, please choose new > one+form to set it'. "
Exactly what I meant. Could have been written in a better way :) > 1) the system MUST NOT keep the passwords in clear text > (standard, but as you wrote it keeps an history of the password and > it's an history of hash, better clarify ) > > 2) The expiry date should be accessible from the template (eg when you > fetch user, so you can add a warning+link to the change password page Agreed, thanks. Improved version attached. Gunnstein > On 03/12/2007, Gunnstein Lye <[EMAIL PROTECTED]> wrote: > > Hello all! > > > > I have attached a little specification of some new password handling > > features: - password validation constraints > > - password expiration > > > > I'd like to know if some or all of this has allready been implemented, > > and if the author is willing to share? > > > > best regards, > > -- > > Gunnstein Lye > > Systems engineer > > [EMAIL PROTECTED] | eZ Systems | http://ez.no > > > > -- > > Sdk-public mailing list > > [email protected] > > http://lists.ez.no/mailman/listinfo/sdk-public -- Gunnstein Lye Systems engineer [EMAIL PROTECTED] | eZ Systems | http://ez.no
SPECIFICATION FOR PASSWORD EXPIRY AND VALIDATION ------------------------------------------------ Gunnstein Lye <[EMAIL PROTECTED]> 3.12.2007 v.0.2 A specification for added and improved password features: - password validation constraints - password expiration 1. Password validation constraints A password MUST contain: - at least one* letter a-z or A-Z - at least one* number 0-9 *) The count MAY be made configurable, but this is not required. The password length MUST be greater than or equal to site.ini [UserSettings] MinPasswordLength (Not a new feature, this is standard.) The password MAY contain other characters, including but not limited to japanese, IF site.ini [UserSettings] UseSpecialCharacters=true (Not a new feature, this is standard.) 2. Password expiration Passwords MUST have a limited lifetime. The length of the lifetime MUST be configurable. The system MUST accept 0 (zero) as a valid lifetime length, and MUST interpret this to mean no limit (infinite lifetime). At a set time before the password expires, the system MUST send an email to the user, stating that the password is about to expire. The time MUST be configurable. The text of the email MUST be configurable (template). When the password expires, the system MUST NOT accept it for gaining access to any content or feature other than the form where the user enters the new password. The system MUST check that the new password is not the same as the old one. The new and the old passwords MUST be different. The system MUST keep a history of old passwords. This history MUST be personal (per user). New passwords MUST NOT be equal to any password in the history. The password history MUST use the same password storage format as the rest of the system (which by default saves a hash, not the clear text password). The length of the password history MUST be configurable. The system MUST accept 0 (zero) as a valid history length, and MUST interpret this to mean no limit (infinite history). The password expiration date MUST be accessible via the user object, so that a warning can be displayed in templates (f.ex. "Your password will expire in 10 days, please change it [LINK]") 3. Configuration All settings MUST be editable in the admin interface. The standard INI settings editor is acceptable.
-- Sdk-public mailing list [email protected] http://lists.ez.no/mailman/listinfo/sdk-public
