Hyland Connect

natguyton · ‎08-25-2009

I am currently evaluating Community Edition 3.2 and need to find out how to enforce a certain level of password strength when a user changes their password. Ie, how to enforce a minimum length, certain number of special characters, alphanumerics, etc. I haven't found mention of this in the wikis or forum searches. If we are to roll out Alfresco, we need it to pass certain security audit sweeps.

Many thanks for your help!

norgan · ‎08-25-2009

Hi,
there is no config-setting for this. Either get the source code and insert your own checking routine, or integrate alfresco to an LDAP you have and make the password management elsewhere.

That would also help reducing the security audit load since you have one system only to maintain the password management with in your whole corp.

Norgan

natguyton · ‎08-25-2009

Thanks, Norgan.

natguyton · ‎10-29-2009

I found that I can indeed enforce (well, that's relative, this may be in client-side javascript rather than server-side validation) minimum length on passwords this way:

Changing minPasswordLength: "3" to something like 7 in the following files:

tomcat/webapps/share/components/console/users.js
tomcat/webapps/share/components/console/users-min.js
tomcat/webapps/share/components/profile/changepassword-min.js
tomcat/webapps/share/components/profile/changepassword.js

and also changing password-min-length from 3 to 7 in the following:

tomcat/webapps/share/WEB-INF/classes/alfresco/web-framework-config-application.xml
tomcat/webapps/alfresco/WEB-INF/classes/alfresco/web-client-config.xml

Hyland Connect

Password strength?