Password Requirements
Password Restriction Configuration
N2FE has the ability to configure rules regarding ACS, SMS and Service Number passwords. When passwords are set through N2FE these rules are adhered to by the system, ensuring that users can choose only secure passwords for their accounts.
Note that the OCNCC system will not honor these requirements.
Available Rules
The rules that may be set include a combination of the following:
- The password may require a minimum length.
- The password may require a maximum length.
- The password may require at least one uppercase letter (i.e. A, B, .. Z).
- The password may require at least one lowercase letter (i.e. a, b, .. z).
- The password may require at least one numeric digit (i.e. 0, 1, 2, … 9).
- The password may require at least one special character - i.e. a character that is not an uppercase, lowercase, or numeric digit.
- The password may require no more than a certain number of consecutive characters of the same time. E.g. if the maximum number of consecutive characters of the same time is set to 2, then “aab” is not allowed, as this is three lowecase letters in a row.
Configuration
Within the habitat, the section password_requirements
must be configured to
build a set of rules for SMS, ACS and Service Number passwords. The section
in the configuration has the following structure:
"password_requirements" : {
"SMS" : {
// rules
},
"SN" : {
// rules
},
"ACS" : {
// rules
}
}
In each subsection, //rules
is to be replaced with the following options:
Rule Name | Description |
---|---|
minimum_length | The minimum length of password to be accepted. This should be set to at least 1. |
maximum_length | The maximum length of password to be accepted. Note that SMS and ACS passwords have a fixed database length of 50 characters, while Service Numbers must have a password 16 characters or less. |
maximum_consecutive_characters | The maximum number of consecutive characters of a single type, where the character types are uppercase and lowercase letters, numeric letters and special characters. |
required_uppercase_character | Whether passwords require an uppercase letter or not. |
required_lowercase_character | Whether passwords require a lowercase letter or not. |
required_numeric_character | Whether passwords require a numeric digit or not. |
required_special_character | Whether passwords require a special character or not. |
The following is an example configuration for setting password requirements. Each field is required in n2fe.xml
"password_requirements": {
"SMS": {
"minimum_length" : 6
, "maximum_length" : 50
, "maximum_consecutive_characters" : 0
, "required_uppercase_character": true
, "required_lowercase_character": true
, "required_numeric_character": true
, "required_special_character": false
},
"SN": {
"minimum_length": 4
, "maximum_length" : 16
, "maximum_consecutive_characters": 0
, "required_uppercase_character": false
, "required_lowercase_character": false
, "required_numeric_character": true
},
"ACS": {
"minimum_length": 6
, "maximum_length" : 50
, "maximum_consecutive_characters": 0
, "required_uppercase_character": true
, "required_lowercase_character": true
, "required_numeric_character": true
, "required_special_character": false
}
}
Enforcing ACS User Password Encryption
ACS by default stores acs user passwords in the acs_user
table unencrypted.
To enable ACS user password encryption, configure the N2FE Jarvis login parameter
encrypt_acs_user_passwords
to be 1, rather than 0:
<jarvis>
<app>
<login module="LoginSMF">
<!-- many other options exist ... -->
<parameter name="encrypt_acs_user_passwords" value="1"/>
</login>
</app>
</jarvis>
When enabling encrypted ACS user passwords, is crucial to run the following SQL against the SMF database first:
alter trigger smf.ACS_USER_ABT disable;
alter trigger smf.ACS_USER_AAT disable;
alter table acs_admin.acs_user modify password char(66 char);
alter trigger smf.ACS_USER_AAT enable;
alter trigger smf.ACS_USER_ABT enable;
alter package acs_admin.acs compile;
alter package acs_admin.acs compile body;
The default size of the acs_user.password
column is 50 characters, which is
insufficient to store the N2FE-encrypted passwords. Encrypted password data
is exactly 66 characters in length.
NOTE If encrypted ACS user passwords are enabled, ACS users will not be able to log in via the standard NCC ACS user screens. The ACS user screens compare passwords in an unencrypted form only. However each ACS user is considered independently, so it is possible to run two sets of users in parallel if required for testing and migration purposes.
ACS users will have their password updated on first login to N2FE. After logging in to N2FE for the first time, their password will be encrypted.
Any ACS user created via N2FE will have their password automatically encrypted, however any ACS user created via the NCC User Screens will have their password stored unencrypted. If a user’s passord is updated vi the NCC user screens, the password will be stored unencrypted also (until such time as that ACS user logs in to N2FE).