Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password improvements #2842

Closed
11 tasks done
craigh opened this issue Apr 5, 2016 · 5 comments
Closed
11 tasks done

Password improvements #2842

craigh opened this issue Apr 5, 2016 · 5 comments
Assignees
@craigh
Labels
Feature
Milestone
3.0.0

Comments

@craigh
Copy link
Member

craigh commented Apr 5, 2016
edited
Loading

Passwords and password management must be significantly improved.

http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords

http://www.dev-metal.com/use-php-5-5-password-hashing-functions/

php 5.5 is required for php password functions, but Symfony has polyfill loaded for 5.4 so we can begin using anytime.

  • update algorithm to scrypt or bcrypt
  • figure out way to update all existing passwords
  • allow admin to reset user password with temporary password being sent to user and force update on first login. (this was already implemented)
  • provide simple method for global 'reset' of all passwords including notification of temporary passwords to users via email in the event of site breach.
  • use native php (polyfill) where possible.
  • increase standard required default length of user password to at least 8 (currently 5)
  • Password configuration - allow the admin to select 'degrees' of password security:
    • require numbers yes|no
    • require symbols yes|no
    • require some capital and lowercase yes|no
    • php password_hash allows a 'cost' param (manual) - allow user to select a value
  • of course Symfony has some security related features we should use where possible.
  • implement outsourced password meter
  • add password generator
  • add option to enable compromised password validator
@craigh craigh added this to the 1.4.3 milestone Apr 5, 2016
@craigh craigh modified the milestones: 1.4.3, 1.4.4 Jul 11, 2016
@Guite Guite modified the milestones: 1.4.4, 1.4.6 Oct 22, 2016
@Guite Guite modified the milestones: 1.4.6, 1.4.5 Nov 12, 2016
@craigh craigh mentioned this issue Dec 11, 2016
Merged
3 tasks
@Guite Guite modified the milestones: 1.4.5, 1.4.6, 1.4.7 Dec 23, 2016
@craigh

This comment has been minimized.

Sign in to view
@Guite

This comment has been minimized.

Sign in to view
@craigh craigh modified the milestones: 2.1.0, 1.5.0 Apr 1, 2017
@craigh craigh removed the Task label Apr 2, 2017
craigh added a commit that referenced this issue Jul 14, 2017
@craigh
#2842
ffd7ee7
craigh added a commit that referenced this issue Jul 14, 2017
@craigh
#2842
a655d05
craigh added a commit that referenced this issue Jul 14, 2017
@craigh
Todos (#3654)
81c8070 
* #3644

* #3644

* Use SchemaValidationHelper to accomplish all validation for an extension

* #3646

* convert todo to simple note

* remove todo

* #3647

* remove deprecated plugin type

* remove todo

* remove todo

* refs #3530

* #3648

* #3648

* don't restrict filenames in doc controller

* #3454

* rem todo

* inject translator

* restrict doc controller arg @Guite

* #3649

* send specific message about group membership

* send specific message about group membership

* ci

* translate validation error

* remove todo

* #3650

* #3651

* #3644

* #3652, #2915

* #2915

* #2842

* rem todo

* #2842

* #3653

* revert mistaken change
@craigh craigh mentioned this issue Jan 2, 2018
Closed
2 tasks
@Guite Guite modified the milestones: 2.1.0, 3.0.0 Nov 2, 2018
@Guite Guite modified the milestones: 3.0.0, 4.0.0 Mar 17, 2019
@craigh craigh modified the milestones: 4.0.0, 3.0.0 Jan 25, 2020
@craigh
Copy link
Member Author

craigh commented Jan 25, 2020

I have re-assigned this to milestone 3 because I feel it is very important to correct these issues for this release and not delay.

craigh added a commit that referenced this issue Feb 17, 2020
@craigh
update password handling to Symfony. refs #2842
fc158d5
@craigh craigh mentioned this issue Feb 17, 2020
Merged
@craigh

This comment has been minimized.

Sign in to view
@Guite

This comment has been minimized.

Sign in to view
@craigh craigh self-assigned this Feb 19, 2020
@craigh craigh closed this as completed in af88350 Feb 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@craigh craigh

Labels
Feature
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
2 participants
@Guite @craigh