Projects:Password Policy/Specs
Contents |
Functional Requirements
Goal
The objective of this project is to improve Openbravo's password security by enforcing users to choose good quality passwords by using a fixed policy.
Password policy will be applied in all screens where a user can change their password, that is:
- ERP Login page, when user has their password marked as expired.
- ERP Profile page, Change password tab.
- POS Login page, when user has their password marked as expired.
However, no policy is applied in the User form view, so any password can be set at this point.
Password policy
The consider a password as secure, it must meet the following criteria:
- It must be at least 8 characters long
- It must contain at least three of the following:
- Uppercase letters
- Lowercase letters
- Digits
- Special characters, which may be one of the following: `~!@#$%€^&*()_-+={}[]|:;"' <>,.?/\].*
Technical Requirements
Client-side vs Server-side
Currently both client-side and server-side validation are performed when changing passwords in Openbravo. Each has its own advantages and disadvantages.
Client-side validation offers an immediate feedback to the user and it prevents server requests with incorrect data, but if no server-side validation is implemented, a malicious user can bypass client-side validation and save invalid data.
Implementing both validations may bring the best of both worlds at the cost of redundancy, as the validation rules should be implemented on both sides. For simplicity's sake only server-side validation is done.
UX in POS Terminal
Some development were required in POS Terminal Login screen since it only shows the error title but not the message. This is inconvenient specially if it fails for a weak password as no info of the criteria used will be shown to the user.
An error text were added based on what's suggested in Issue 37838.