ЕСОЗ - публічна документація

Password Policy

Owned by Bogdana Konovalenko (Unlicensed)
Last updated: Mar 12, 2018
2 min read


Purpose

To protect system from fraud and to improve security policy the password policy must be improved.

Functional requirement

1. Complexity Validation

Validate complexity of user's password

  • has at least 12 characters long;
  • contains both upper- and lowercase letter and numbers (required), special characters (optional)

Must be controlled by regular expression: ^(?=.*[a-zа-яёїієґ])(?=.*[A-ZА-ЯЁЇIЄҐ])(?=.*\d){12}


  1. Validate upper, lowercase letter and numbers

In case of error - return 422 error (message: "Password does not meet complexity requirements")

{:error, [{%{
        description: "Password does not meet complexity requirements",
        params: [],
        rule: :invalid
      }, "$.password"}]}
    2. Validate password length (at least 12 characters long)

In case of error - return 422 error (message: "Password must be at least 12 characters long")

{:error, [{%{
        description: "Password must be at least 12 characters long",
        params: [],
        rule: :invalid
      }, "$.password"}]}
  • Add to mithril.users password_set_at = now()

2. Save passwords history

When $.decrypted_hash<>mihril.users.password (the user set up a new password)  -  add the row to mithril.user_passwords_history

Destination
Source
Description
id
Autogenerated
user_id$.user_idExtract user from token
password$.decrypted_hash
inserted_atTimestamp: now()Get current date-time

3. Not allow to use recently used passwords

While setting up a new password compare it with 3 previous passwords (saved decrypted_hash from mithril.user_passwords_history)

  • If $.decrypted_hash=mithril.user_passwords_history.password return 422 error (message: "This password has been used recently. Try another one")
{:error, [{%{
        description: "This password has been used recently. Try another one",
        params: [],
        rule: :invalid
      }, "$.password"}]}

4. Expire Passwords

Once a day fetch all records from mithril.users where now()>=mithril.users.password_set_at+config.password_lifetime

  • set expires_at=now() for all tokens where tokens.user_id=$user.id (--and tokens.name='refresh_token')

Don't send access_token in response on {{host}}/oauth/tokens  until the password will be changed. Show the message Error 401 "The password expired".

ЕСОЗ - публічна документація