topic Re: Password strength? in Alfresco Archive

Password strength?

natguyton — Tue, 25 Aug 2009 14:34:44 GMT

I am currently evaluating Community Edition 3.2 and need to find out how to enforce a certain level of password strength when a user changes their password. Ie, how to enforce a minimum length, certain number of special characters, alphanumerics, etc. I haven't found mention of this in the wikis

Re: Password strength?

norgan — Tue, 25 Aug 2009 15:30:57 GMT

Hi,
there is no config-setting for this. Either get the source code and insert your own checking routine, or integrate alfresco to an LDAP you have and make the password management elsewhere.

That would also help reducing the security audit load since you have one system only to maintain the password management with in your whole corp.

Norgan

Re: Password strength?

natguyton — Tue, 25 Aug 2009 16:11:06 GMT

Thanks, Norgan.

Re: Password strength?

natguyton — Thu, 29 Oct 2009 18:49:34 GMT

I found that I can indeed enforce (well, that's relative, this may be in client-side javascript rather than server-side validation) minimum length on passwords this way:

Changing minPasswordLength: "3" to something like 7 in the following files:

tomcat/webapps/share/components/console/users.js
tomcat/webapps/share/components/console/users-min.js
tomcat/webapps/share/components/profile/changepassword-min.js
tomcat/webapps/share/components/profile/changepassword.js

and also changing password-min-length from 3 to 7 in the following:

tomcat/webapps/share/WEB-INF/classes/alfresco/web-framework-config-application.xml
tomcat/webapps/alfresco/WEB-INF/classes/alfresco/web-client-config.xml