Skip to main content

Cookie settings

We use cookies to ensure the basic functionalities of the website and to enhance your online experience. You can choose for each category to opt-in/out whenever you want.

Essential

Preferences

Analytics and statistics

Marketing

Changes at "Strong password policy for Admin users"

Avatar: AndrƩs AndrƩs

Title

  • +{"en"=>"Strong password policy for Admin users"}

Body

  • +["

    Ref. GDPR07

    Is your feature request related to a problem? Please describe.
    As an administrator, I want to have better rules for the security of my user account.

    Describe the solution youā€™d like

    We should have stronger password rules for administrator users, like:

    • it should change every 90 days
    • it should not be repeated (for the last 5 times)
    • it should have at least 15 characters

    As in other related APIs and configurations, this should have an initializer/secret/environment variable.

    In all cases, the password still needs to pass the PasswordValidator

    DECIDIM_ADMIN_PASSWORD_STRONG_ENABLE

    True by default

    If enabled itā€™ll check that the password has at least one lowercase, one uppercase, one number and one special character

    DECIDIM_ADMIN_PASSWORD_MIN_CHARACTERS

    15 by default

    DECIDIM_ADMIN_PASSWORD_DAYS_EXPIRATION

    90 by default

    After this many days without changing the password, when an administrator logins it should see a ā€œChange my passwordā€ form

    DECIDIM_ADMIN_PASSWORD_REPETITION_TIMES

    5 by default

    When an administrator changes its password, it canā€™t reuse these old passwords.

    Describe alternatives youā€™ve considered
    To not be able to change this kind of settings, but some organizations would want to relax or make stricter these rules

    Does this issue could impact on users private data?
    Yes, itā€™s about passwords.

    Acceptance criteria

    • Given that the app has disabled the DECIDIM_ADMIN_PASSWORD_STRONG_ENABLE env var,
      And Iā€™m an administrator
      When I change my password and give a password without one lowercase, one uppercase, one number or one special character
      Then itā€™s says that the provided password is valid
    • Given that the app has enabled the DECIDIM_ADMIN_PASSWORD_STRONG_ENABLE env var,
      And Iā€™m an administrator
      When I change my password and give a password without one lowercase, one uppercase, one number or one special character
      Then itā€™s says that the provided password is invalid
    • Given that the app has enabled the DECIDIM_ADMIN_PASSWORD_STRONG_ENABLE env var,
      And Iā€™m an administrator
      When I change my password and give a password with one lowercase, one uppercase, one number or one special character
      Then itā€™s says that the provided password is valid
    • Given that the app has set up the DECIDIM_ADMIN_PASSWORD_MIN_CHARACTERS env var to 8,
      And Iā€™m an administrator
      When I change my password and give a password with 7 characters
      Then itā€™s says that the provided password is invalid
    • Given that the app has set up the DECIDIM_ADMIN_PASSWORD_MIN_CHARACTERS env var to 8,
      And Iā€™m an administrator
      When I change my password and give a password with 9 characters
      Then itā€™s says that the provided password is valid
    • Given that the app has set up the DECIDIM_ADMIN_PASSWORD_DAYS_EXPIRATION env var to 30,
      And Iā€™m an administrator that has changed its password 31 days ago
      When I login
      Then Iā€™m asked to change my password
    • Given that the app has set up the DECIDIM_ADMIN_PASSWORD_DAYS_EXPIRATION env var to 30,
      And Iā€™m an administrator that has changed its password 7 days ago
      When I login
      Then Iā€™m not asked to change my password
    • Given that the app has set up the DECIDIM_ADMIN_PASSWORD_REPETITION_TIMES env var to 2,
      And Iā€™m an administrator
      When I change my password and give my old password
      Then itā€™s says that the provided password is invalid
    "]

Confirm

Please log in

The password is too short.

Share