View source | View content page | Page history | Printable version   

Projects:Password Policy/Specs

Contents

Functional Requirements

Goal

The objective of this project is to improve Openbravo's password security by enforcing users to choose good quality passwords by using a fixed policy.

Password policy will be applied in all screens where a user can change their password, that is:

However, no policy is applied in the User form view, so any password can be set at this point.

Password policy

The consider a password as secure, it must meet the following criteria:

Technical Requirements

Client-side vs Server-side

Currently both client-side and server-side validation are performed when changing passwords in Openbravo. Each has its own advantages and disadvantages.

Client-side validation offers an immediate feedback to the user and it prevents server requests with incorrect data, but if no server-side validation is implemented, a malicious user can bypass client-side validation and save invalid data.

Implementing both validations may bring the best of both worlds at the cost of redundancy, as the validation rules should be implemented on both sides. For simplicity's sake only server-side validation is done.

UX in POS Terminal

Some development were required in POS Terminal Login screen since it only shows the error title but not the message. This is inconvenient specially if it fails for a weak password as no info of the criteria used will be shown to the user.

Pos-login-error-text.png

An error text were added based on what's suggested in Issue 37838.

Retrieved from "http://wiki.openbravo.com/wiki/Projects:Password_Policy/Specs"

This page has been accessed 1,267 times. This page was last modified on 13 April 2018, at 09:09. Content is available under Creative Commons Attribution-ShareAlike 2.5 Spain License.