Enforce safe passwords/password policy

  • tammo
  • tammo's Avatar Topic Author
  • Offline
  • Official LimeSurvey Partner
  • Official LimeSurvey Partner
  • User support
More
2 months 2 weeks ago - 2 months 2 weeks ago #199449 by tammo
Is there any way of enforcing safer passwords for survey administrators? As far as I can see the user change his password to one letter passwords.

I would like to have a minimal number of x characters and minimum of 1 lower case, 1 UPPER CASE and 1 special character.
And a notification to change the password at regular intervals.

I tried looking for this, but came up with nothing.

Using LS3, most recent version,

greetings,

Tammo


Tammo ter Hark at Respondage
For Limesurvey education and customized themes
respondage.nl
Last edit: 2 months 2 weeks ago by tammo. Reason: Typos

Please Log in to join the conversation.

LimeSurvey Partners
More
2 months 2 weeks ago #199450 by DenisChenu
Only in 4.X currently

Evant was not added to 3.X

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development . I don't answer to private message.
The following user(s) said Thank You: tammo

Please Log in to join the conversation.

  • tammo
  • tammo's Avatar Topic Author
  • Offline
  • Official LimeSurvey Partner
  • Official LimeSurvey Partner
  • User support
More
2 months 2 weeks ago #199453 by tammo
You did not make a plugin for this? ;-)


Tammo ter Hark at Respondage
For Limesurvey education and customized themes
respondage.nl

Please Log in to join the conversation.

More
2 months 2 weeks ago #199459 by DenisChenu
Nobody ask, and there are no real event in 3.X for this

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development . I don't answer to private message.

Please Log in to join the conversation.

More
2 months 2 weeks ago #199488 by holch
To be honest, I personally think that those restrictions generally lead to the most danger. Suddenly people can not use the passwords they want and then they note them down, write them on a post-it next to their screen, etc. The more you try to force people to use cryptic passwords the more dangerous it gets. I am talking about normal users, not IT people.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
The following user(s) said Thank You: DenisChenu

Please Log in to join the conversation.

  • tammo
  • tammo's Avatar Topic Author
  • Offline
  • Official LimeSurvey Partner
  • Official LimeSurvey Partner
  • User support
More
2 months 2 weeks ago #199497 by tammo
You could be right. This is probably true when people do not use a password manager.

Anyway, this is a "must have" for a customer. The IT department decided that. For me no use urguing.

Tammo


Tammo ter Hark at Respondage
For Limesurvey education and customized themes
respondage.nl
The following user(s) said Thank You: DenisChenu

Please Log in to join the conversation.

More
2 months 2 weeks ago - 2 months 2 weeks ago #199500 by DenisChenu

holch wrote: To be honest, I personally think that those restrictions generally lead to the most danger.

Size and advice to use sentence maybe.

Without restrictions : user are sometimes so kind for bad people …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development . I don't answer to private message.
Last edit: 2 months 2 weeks ago by DenisChenu. Reason: remove hacker for bad people

Please Log in to join the conversation.

More
2 months 2 weeks ago #199578 by holch

Anyway, this is a "must have" for a customer. The IT department decided that. For me no use urguing.


I know - Just saying.

The tougher the rules, the more "creative" users become in remembering passwords and then suddenly all the goo intentions caused exactly the opposite.

And I have no solution for the dilemma.

2FA solutions (e.g. E-Mail with access code for every login).

This solves security problems, but users will hate it because it takes time and the codes not always come as quickly as they are supposed to. Then you need to do something and can't login and have to wait for the email to arrive.

Don't get me wrong, I am fully aware of the risks of easy to crack passwords, but current attempts often lead to rejection of users to the point that a tool becomes 'unusable' for them due to the restrictions.

Tricky but very interesting topic.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

Please Log in to join the conversation.

More
2 months 2 weeks ago #199584 by DenisChenu
There are a 2FA plugin at a time in Store, but seems deleted.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development . I don't answer to private message.

Please Log in to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now