Implementing warning to encourage user to change their password before it is expired
149 views
Skip to first unread message
Nicolas Micoud
Apr 23, 2018, 10:52:05 AM4/23/18
to iDempiere
Hi,
I'm studying some security measures in order to activate them.
One of them is USER_LOCKING_MAX_PASSWORD_AGE_DAY, means users will have to change their passwords regularly.
AFAIU, a standard user cannot know when his password will be expired (not easy for him to add days to the AD_User.DatePasswordChanged as he probably don't have access to that window).
My idea is to define a period before the password is expired (Sysconfig, client level).
When the user logs in during that period (for instance 7 days before expiration), a popup (broadcast message) will display a warning "Hey, your password will expire in 7 days, we encourage you to change it now !".
The popup would be shown only at the first log of the day.
So, if he doesn't feel comfortable, he could call an administrator to help him BEFORE it's too late.
Another improvement could be a period of time where the password is expired but user can still logs in.
That was suggested by a customer, but I'm don't think this is a good idea.
WDYT ?
Thanks,
Nicolas
I'm studying some security measures in order to activate them.
One of them is USER_LOCKING_MAX_PASSWORD_AGE_DAY, means users will have to change their passwords regularly.
AFAIU, a standard user cannot know when his password will be expired (not easy for him to add days to the AD_User.DatePasswordChanged as he probably don't have access to that window).
My idea is to define a period before the password is expired (Sysconfig, client level).
When the user logs in during that period (for instance 7 days before expiration), a popup (broadcast message) will display a warning "Hey, your password will expire in 7 days, we encourage you to change it now !".
The popup would be shown only at the first log of the day.
So, if he doesn't feel comfortable, he could call an administrator to help him BEFORE it's too late.
Another improvement could be a period of time where the password is expired but user can still logs in.
That was suggested by a customer, but I'm don't think this is a good idea.
WDYT ?
Thanks,
Nicolas
Mauricio Cruz
Apr 23, 2018, 12:08:00 PM4/23/18
to iDempiere
Senhores Boa Tarde!
Meu nome é Mauricio Cruz
Estou a procura de parceiros para instalação implementação e customização do idempiere ERP no sistema Saas
55 31 3271-3161(escritório)
55 31 993726684(celular)
renovacao75(skype)
Carlos Antonio Ruiz Gomez
Apr 23, 2018, 2:26:35 PM4/23/18
to idem...@googlegroups.com
Just an idea but it sounds easy to
implement what you propose in several ways:
- automatically create a broadcast message to the user when the conditions met
and/or
- create a dashboard panel to show user expiration hints
- automatically create a broadcast message to the user when the conditions met
and/or
- create a dashboard panel to show user expiration hints
> Another improvement could be a period of time where the password is expired but user can still logs in.
> That was suggested by a customer, but I'm don't think this is a good idea.
Seems redundant - name it notification if before expiration - and
grace period if after expiration.
Regards,
Carlos Ruiz
Regards,
Carlos Ruiz
Nicolas Micoud
Apr 24, 2018, 5:24:21 AM4/24/18
to iDempiere
I would prefer to use broadcast message as a dashboard panel can be hidden by user.
It's harder to not see a broadcast message.
For the 'after expiration' part, the idea would be make some changes on Login.getClients.
If the password is expired, we have to check if an grace expiration period exists.
If yes : 2 options :
- User.DatePasswordChange + GraceExpirationDays >= Sysdate -> user can still logs in and he will have a broadcast message "hey, your password is expired since 2 days, you won't be able to log in in 5 days" (the isPasswordExpired will be forced to false).
- User.DatePasswordChange + GraceExpirationDays < Sysdate -> user cannot logs in (actual behaviour)
Do you think 'before' and/or 'after' can be done in trunk ?
Nicolas
It's harder to not see a broadcast message.
For the 'after expiration' part, the idea would be make some changes on Login.getClients.
If the password is expired, we have to check if an grace expiration period exists.
If yes : 2 options :
- User.DatePasswordChange + GraceExpirationDays >= Sysdate -> user can still logs in and he will have a broadcast message "hey, your password is expired since 2 days, you won't be able to log in in 5 days" (the isPasswordExpired will be forced to false).
- User.DatePasswordChange + GraceExpirationDays < Sysdate -> user cannot logs in (actual behaviour)
Do you think 'before' and/or 'after' can be done in trunk ?
Nicolas
Carlos Antonio Ruiz Gomez
Apr 24, 2018, 5:48:04 AM4/24/18
to idem...@googlegroups.com
Hi Nicolas,
Well, rereading this I think both options looks very similar, let's call them NotifyBefore and GracePeriod.
I would think NotifyBefore is linked to a broadcast message, while GracePeriod sounds more linked to a login message.
As I think the idea of password expiration is to encourage the user to change the password - and indeed not just encourage, but force him/her, an option to hide the message is maybe not good, and maybe the more annoying the message the more the user is prone to change it quickly, so showing the message on each login maybe sounds better option. (Just an opinion from a non-expert here, I could be wrong).
If that's the case I would think something like a SysConfig USER_LOCKING_MAX_PASSWORD_NOTIFY_DAY
and a translatable message saying "Your password will expire in %0 days"
I would vote for the message to be shown on each login.
Regards,
Carlos Ruiz
Well, rereading this I think both options looks very similar, let's call them NotifyBefore and GracePeriod.
I would think NotifyBefore is linked to a broadcast message, while GracePeriod sounds more linked to a login message.
As I think the idea of password expiration is to encourage the user to change the password - and indeed not just encourage, but force him/her, an option to hide the message is maybe not good, and maybe the more annoying the message the more the user is prone to change it quickly, so showing the message on each login maybe sounds better option. (Just an opinion from a non-expert here, I could be wrong).
If that's the case I would think something like a SysConfig USER_LOCKING_MAX_PASSWORD_NOTIFY_DAY
and a translatable message saying "Your password will expire in %0 days"
I would vote for the message to be shown on each login.
Regards,
Carlos Ruiz
Nicolas Micoud
Apr 24, 2018, 6:17:54 AM4/24/18
to iDempiere
Yep, the NotifyBefore should be enough.
Admins can set it to maybe 30 days, so users will have time to change it.
Thus, the GracePeriod won't be needed.
I will try to create a patch, idea would be to add some lines at the end of RolePanel.validateLogin.
If user is in the 'NotifyBefore' period, i can display a FDialog.warn("Your password will expire in %0 days").
Does it sounds ok ?
Nicolas
Admins can set it to maybe 30 days, so users will have time to change it.
Thus, the GracePeriod won't be needed.
I will try to create a patch, idea would be to add some lines at the end of RolePanel.validateLogin.
If user is in the 'NotifyBefore' period, i can display a FDialog.warn("Your password will expire in %0 days").
Does it sounds ok ?
Nicolas
Carlos Antonio Ruiz Gomez
Apr 24, 2018, 6:54:18 AM4/24/18
to idem...@googlegroups.com
Yes, it sounds fine.
Nicolas Micoud
Apr 24, 2018, 8:42:28 AM4/24/18
to iDempiere
Here's the code i wrote :
I try to use it on DefaultDesktop, RolePanel, AdempiereWebUI, and in all cases, the popup is shown, but when clicking on the "ok" button, the system just hangs.
Another option would be to use broadcast messages but i see 2 negative points :
- ATM, we can't just use BM with a simple text (we have to pass a AD_Message_ID)
- Not sure keeping in base a trace of all BM is useful
So, is there a good practice i could follow to display a popup right after user has logged in ?
Thanks,
int notifyDay = MSysConfig.getIntValue(MSysConfig.USER_LOCKING_MAX_PASSWORD_NOTIFY_DAY, 0);
int pwdAgeDay = MSysConfig.getIntValue(MSysConfig.USER_LOCKING_MAX_PASSWORD_AGE_DAY, 0);
if (notifyDay > 0 && pwdAgeDay > 0) {
int userID = Env.getAD_User_ID(Env.getCtx());
Timestamp limit = TimeUtil.addDays(MUser.get(Env.getCtx(), userID).getDatePasswordChanged(), pwdAgeDay);
System.out.println("limit = " + limit);
Timestamp notifyAfter = TimeUtil.addDays(limit, -notifyDay);
System.out.println("notifyAfter = " + notifyAfter);
Timestamp now = TimeUtil.getDay(null);
System.out.println("now = " + now);
if (now.after(notifyAfter)) {
int nbDays = TimeUtil.getDaysBetween(now, limit);
FDialog.warn(0, null, "", Msg.getMsg(Env.getCtx(), "YourPasswordWillExpireInDays", new Object[] {nbDays}));
}
}I try to use it on DefaultDesktop, RolePanel, AdempiereWebUI, and in all cases, the popup is shown, but when clicking on the "ok" button, the system just hangs.
Another option would be to use broadcast messages but i see 2 negative points :
- ATM, we can't just use BM with a simple text (we have to pass a AD_Message_ID)
- Not sure keeping in base a trace of all BM is useful
So, is there a good practice i could follow to display a popup right after user has logged in ?
Thanks,
Carlos Antonio Ruiz Gomez
Apr 24, 2018, 12:14:56 PM4/24/18
to idem...@googlegroups.com
Nicolas, I think RolePanel, line 648
(in current 5.1) - just before the line
wndLogin.loginCompleted();
Regards,
Carlos Ruiz
wndLogin.loginCompleted();
Regards,
Carlos Ruiz
Nicolas Micoud
Apr 24, 2018, 3:33:13 PM4/24/18
to iDempiere
Arrrrrrgggghhhhh, I only try after this line - not before :-/
It works better this way :)
https://idempiere.atlassian.net/browse/IDEMPIERE-3696
Thanks,
Nicolas
It works better this way :)
https://idempiere.atlassian.net/browse/IDEMPIERE-3696
Thanks,
Nicolas
Reply all
Reply to author
Forward
0 new messages