nuBuilder Forum


https://forums.nubuilder.cloud/

Enforcing Password Policies

https://forums.nubuilder.cloud/viewtopic.php?t=9570

Page 1 of 1

Enforcing Password Policies

Posted: Tue May 29, 2018 1:57 am
by marc
No matter how secure you make a user’s password initially, the user will eventually choose his own password. (choosing a one character password is possible !)
How to set account policies that define a secure password?
What possibilities does nuBuilder offer? Esp. when used in a company with sensitive data it's essential (data protection)
Can you tell me about your experience?

e.g.

Maximum Password Age
Passwords must have at least 8 characters.
Passwords can’t contain the user name or parts of the user’s full name, such as his first name.
Passwords must use at least three of the four available character types: lowercase letters, uppercase.

Re: Enforcing Password Policies

Posted: Sat Jun 02, 2018 5:00 am
by admin
marc,

Sorry, but you can't do this in nuBuilder.

Steven

Re: Enforcing Password Policies

Posted: Sat Jun 02, 2018 6:21 am
by toms
Steven,

nuBuilder could easily implement such a feature in a very generic way (and it would be optional, up to the user to implement it or not). So every user could implement their own password policy check.

And I agree with marc, this would be a very important feature to improve nuBuilder's security.

All you would have to do is add 7 rows to BS of the nuPassword form to make such a feature possible.
bs_password.PNG
This would check for the existence of a function (let's call it nuCheckPasswordPolicy() ).

-> If present, the saving just succeeds if the check returns true.

-> If there is no such function, the saving would work as it is now.


Then the user can create his own nuCheckPasswordPolicy() procedure.
Example:

Code: Select all

function nuCheckPasswordPolicy() {

$oldpw	= '#old_password#';
$newpw	= '#new_password#';

$passwordErr = "";

    if (strlen($newpw) < 8) {
        $passwordErr .= "Your Password Must Contain At Least 8 Characters!<br>";
    }
    if (!preg_match("#[0-9]+#",$newpw)) {
        $passwordErr .= "Your Password Must Contain At Least 1 Number!<br>";
    }
    if (!preg_match("#[A-Z]+#",$newpw)) {
        $passwordErr .= "Your Password Must Contain At Least 1 Capital Letter!<br>";
    }
    if(!preg_match("#[a-z]+#",$newpw)) {
        $passwordErr .= "Your Password Must Contain At Least 1 Lowercase Letter!<br>";
    }

if (strlen($passwordErr) > 0) {
	nuDisplayError ($passwordErr) ;
	return false;
} else
{
	return true;
}
}

$check = nuCheckPasswordPolicy();

Re: Enforcing Password Policies

Posted: Sun Jun 03, 2018 7:29 am
by admin
.

Re: Enforcing Password Policies

Posted: Thu Jun 28, 2018 2:55 pm
by marc
toms, good idea.

@admin: is it possible to make this change?
toms wrote: All you would have to do is add 7 rows to BS of the nuPassword form to make such a feature possible.

Re: Enforcing Password Policies

Posted: Fri Jun 29, 2018 9:17 am
by admin
Guys,

I have added that now in the Before Save.

It's in Github now.

You'll need to get it and run Update.

Please let me know if it works and then I'll update the wiki and include toms sample procedure.

Steven

Re: Enforcing Password Policies

Posted: Mon Jul 02, 2018 9:53 am
by toms
It works all fine here and I've updated my sample procedure:

Code: Select all

function nuCheckPasswordPolicy() {

    $oldpw    = '#old_password#';
    $newpw    = '#new_password#';
    
    $passwordErr = "";
    
    if ($newpw === $oldpw) {
        $passwordErr .= "The provided New Password cannot be the same as the Current Password!<br>";
    }    
    if (strlen($newpw) < 8) {
        $passwordErr .= "Your Password must contain at least 8 Characters!<br>";
    }
    if (!preg_match("#[0-9]+#",$newpw)) {
        $passwordErr .= "Your Password must contain at least 1 Number!<br>";
    }
    if (!preg_match("#[A-Z]+#",$newpw)) {
        $passwordErr .= "Your Password must contain at least 1 Capital Letter!<br>";
    }
    if(!preg_match("#[a-z]+#",$newpw)) {
        $passwordErr .= "Your Password must contain at least 1 Lowercase Letter!<br>";
    }
    if(!preg_match('/[\'\/~`\!@#\$%\^&\*\(\)_\-\+=\{\}\[\]\|;:"\<\>,\.\?\\\]/', $newpw)) {
        $passwordErr .= "Your Password must contain at least 1 Special Character!<br>";
    }    

    if (strlen($passwordErr) > 0) {
        nuDisplayError ($passwordErr) ;
        return false;
    } else
    {
        return true;
    }
}

$check = nuCheckPasswordPolicy();

Re: Enforcing Password Policies

Posted: Tue Jul 03, 2018 5:17 am
by admin
toms,

Thanks for that.

This has now been added to the wiki.

https://wiki.nubuilder.cloud/ ... d_Policies


Steven

Re: Enforcing Password Policies

Posted: Fri Jul 06, 2018 8:22 am
by marc
Thank you both, works for me too

Re: Enforcing Password Policies

Posted: Fri Jul 06, 2018 8:06 pm
by admin
.
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited