1. Password policy enhancements
From OpenEMR Project Wiki
Owner of this task
ViCarePlus HealthCare IT Services & Support
6559, SpringPath Lane, San Jose, CA, USA
MeaningFul Use Requirements
SC 03.02 When passwords are used, the system shall support password strength rules that allow for minimum number of characters, and inclusion of alphanumeric complexity.
SC 03.09 When passwords are used, the system shall allow an authenticated user to change their password consistent with password strength rules (SC 03.02)
SC 03.10 When passwords are used, the system shall support case sensitive passwords that contain typeable alpha and numeric characters in support of ISO-646/ECMA-6 (aka US ASCII).
SC 03.12 When passwords are used, the system shall prevent the reuse of passwords previously used within a specific (configurable) timeframe (i.e., within the last X days, etc. - e.g. "last 180 days"), or shall prevent the reuse of a certain (configurable) number of the most recently used passwords (e.g. "last 5 passwords").
SC 06.02 When passwords are used, the system shall not display passwords while being entered.
(a) Password must be eight character length or more and must contain just 3 of the following 4 items:
- a lowercase letter - an uppercase letter - an integer - a special character
The password is validated by checking whether the password contains minimum of eight characters and must contains any of the three items from the following four items:
a lowercase letter an uppercase letter an integer a special character
If the entered password is invalid an alert message is displayed (“The password must be at least 8 characters, and should contain at least three of the four following items: - A number - A lowercase letter - An uppercase letter - A special character (not a letter or number). For example: healthCare@09”) If the password text box is empty an alert message displayed (“please enter the password’).
Set 1 to $GLOBALS['secure_password'] in globals.php to enable(0 to disable) strong password feature in openemr.
User Addition and Modification
Password change place
(b) Passwords need to be changed on a regular basis (every 6 weeks to 3 months) and the grace login period must be given for another 30 days to reset the password.
While adding new users in “User Administration”, the value for “Password Expiration Duration” is also obtained (default value is 180). ‘Password Expiration Date’ is then calculated (current date + Password Expiration Duration). The above items are taken care in while editing the User details in “User Administration” and in the “Password Change” page also.
After successful login by user, the ‘Password Expiration Date’ is compared with the current date. if the user logins, prior to <7 days of ‘Password Expiration Date, the warning message “Welcome <<UserName>>, Your Password Expires on <<YYYY-MM-DD>>. Please change your password” is displayed.
If the current date is equal to password expiration date then “Welcome <<UserName>>, Your Password expires today. Please change your password” message is displayed.
If the user doesn’t change his/her password with in the password expiration period, the user got the grace login period of about 30 days. During the grace login period the warning message, “Welcome <<UserName>>, You are in Grace Login period. Please change your password before <<YYYY-DDMM>>”.
If the “Password Expiration Date” is date empty or default value of “0000-00-00”. The warning message “Welcome <<UserName>>, Your Password Expired. Please change your password” is displayed.
If the user does not change his/her password during the Grace Login period, their user account is locked and the user will not be able to login and user account is moved to ‘Inactive’ state.
Later, the admin can activate his/her account by moving the “‘InActive’” state to “Active” and change the user password in “User Administration” page .
All above warning messages are displayed in new page. This new page is loaded only once at the top frame (instead of calendar) after a successful login by user.
Set the default $GLOBALS['password_expiration_days'] period, in days. if it is 0 this feature is disabled. The administrator can override this value when editing a user. Set the $GLOBALS['password_grace_time'] period in days, only when $GLOBALS['password_expiration_days'] is set to some values(like 180 days).
(c) The system should log the last three passwords and prevent reuse:
When user password is changed in “User Administration” or “Password Change” pages, entered password is compared with last three passwords of same user.
If the entered password is any of the last three passwords user is alerted with “Recent three passwords are not allowed.”
Set $GLOBALS['password_history'] = 1 to enable(0 to disable) password history feature in openemr.
Database Fields Introduced
Following fields are introduced in “users” table Password Expiration Duration => pwd_exp_duration Password Expiration Date => pwd_expiration_date Password History 1 => pwd_history1 Password History 2 => pwd_history2
2. Functionality Test Case Document - http://www.openmedsoftware.org/wiki/File:PassStrengthTC.pdf
3. Test Case Report - http://www.openmedsoftware.org/mw/images/3/34/PasswordStrengthening_TCReport_Updated.tar
Completed by ViCarePlus Team, Visolve.
Checkin status - Committed to the Sourceforge CVS
Associated with SF forum: http://sourceforge.net/projects/openemr/forums/forum/202506/topic/3542453