Changes at "Strong password policy for Admin users"
Title
- +{"en"=>"Strong password policy for Admin users"}
Body
-
+["
Ref. GDPR07
Is your feature request related to a problem? Please describe.
As an administrator, I want to have better rules for the security of my user account.Describe the solution youād like
We should have stronger password rules for administrator users, like:
- it should change every 90 days
- it should not be repeated (for the last 5 times)
- it should have at least 15 characters
As in other related APIs and configurations, this should have an initializer/secret/environment variable.
In all cases, the password still needs to pass the PasswordValidator
DECIDIM_ADMIN_PASSWORD_STRONG_ENABLE
True by default
If enabled itāll check that the password has at least one lowercase, one uppercase, one number and one special character
DECIDIM_ADMIN_PASSWORD_MIN_CHARACTERS
15 by default
DECIDIM_ADMIN_PASSWORD_DAYS_EXPIRATION
90 by default
After this many days without changing the password, when an administrator logins it should see a āChange my passwordā form
DECIDIM_ADMIN_PASSWORD_REPETITION_TIMES
5 by default
When an administrator changes its password, it canāt reuse these old passwords.
Describe alternatives youāve considered
To not be able to change this kind of settings, but some organizations would want to relax or make stricter these rulesDoes this issue could impact on users private data?
Yes, itās about passwords.Acceptance criteria
- Given that the app has disabled the DECIDIM_ADMIN_PASSWORD_STRONG_ENABLE env var,
And Iām an administrator
When I change my password and give a password without one lowercase, one uppercase, one number or one special character
Then itās says that the provided password is valid - Given that the app has enabled the DECIDIM_ADMIN_PASSWORD_STRONG_ENABLE env var,
And Iām an administrator
When I change my password and give a password without one lowercase, one uppercase, one number or one special character
Then itās says that the provided password is invalid - Given that the app has enabled the DECIDIM_ADMIN_PASSWORD_STRONG_ENABLE env var,
And Iām an administrator
When I change my password and give a password with one lowercase, one uppercase, one number or one special character
Then itās says that the provided password is valid - Given that the app has set up the DECIDIM_ADMIN_PASSWORD_MIN_CHARACTERS env var to 8,
And Iām an administrator
When I change my password and give a password with 7 characters
Then itās says that the provided password is invalid - Given that the app has set up the DECIDIM_ADMIN_PASSWORD_MIN_CHARACTERS env var to 8,
And Iām an administrator
When I change my password and give a password with 9 characters
Then itās says that the provided password is valid - Given that the app has set up the DECIDIM_ADMIN_PASSWORD_DAYS_EXPIRATION env var to 30,
And Iām an administrator that has changed its password 31 days ago
When I login
Then Iām asked to change my password - Given that the app has set up the DECIDIM_ADMIN_PASSWORD_DAYS_EXPIRATION env var to 30,
And Iām an administrator that has changed its password 7 days ago
When I login
Then Iām not asked to change my password - Given that the app has set up the DECIDIM_ADMIN_PASSWORD_REPETITION_TIMES env var to 2,
And Iām an administrator
When I change my password and give my old password
Then itās says that the provided password is invalid
Share