1. Password policy enhancements

From OpenEMR Project Wiki

Owner of this task

OpenEMR and EHR Support

ViCarePlus HealthCare IT Services & Support

6559, SpringPath Lane, San Jose, CA, USA

Website: http://www.vicareplus.com

Email: services@vicareplus.com

MeaningFul Use Requirements

SC 03.02 When passwords are used, the system shall support password strength rules that allow for minimum number of characters, and inclusion of alphanumeric complexity.

SC 03.09 When passwords are used, the system shall allow an authenticated user to change their password consistent with password strength rules (SC 03.02)

SC 03.10 When passwords are used, the system shall support case sensitive passwords that contain typeable alpha and numeric characters in support of ISO-646/ECMA-6 (aka US ASCII).

SC 03.12 When passwords are used, the system shall prevent the reuse of passwords previously used within a specific (configurable) timeframe (i.e., within the last X days, etc. - e.g. "last 180 days"), or shall prevent the reuse of a certain (configurable) number of the most recently used passwords (e.g. "last 5 passwords").

SC 06.02 When passwords are used, the system shall not display passwords while being entered.

Proposed Solution

(a) Password must be eight character length or more and must contain just 3 of the following 4 items:

- a lowercase letter - an uppercase letter - an integer - a special character

How:

The password is validated by checking whether the password contains minimum of eight characters and must contains any of the three items from the following four items:

a lowercase letter
an uppercase letter
an integer
a special character

If the entered password is invalid an alert message is displayed (“The password must be at least 8 characters, and should contain at least three of the four following items: - A number - A lowercase letter - An uppercase letter - A special character (not a letter or number). For example: healthCare@09”) If the password text box is empty an alert message displayed (“please enter the password’).

Set 1 to $GLOBALS['secure_password'] in globals.php to enable(0 to disable) strong password feature in openemr.

Where:

User Addition and Modification

Password change place

(b) Passwords need to be changed on a regular basis (every 6 weeks to 3 months) and the grace login period must be given for another 30 days to reset the password.

While adding new users in “User Administration”, the value for “Password Expiration Duration” is also obtained (default value is 180). ‘Password Expiration Date’ is then calculated (current date + Password Expiration Duration). The above items are taken care in while editing the User details in “User Administration” and in the “Password Change” page also.

After successful login by user, the ‘Password Expiration Date’ is compared with the current date. if the user logins, prior to <7 days of ‘Password Expiration Date, the warning message “Welcome <<UserName>>, Your Password Expires on <<YYYY-MM-DD>>. Please change your password” is displayed.

If the current date is equal to password expiration date then “Welcome <<UserName>>, Your Password expires today. Please change your password” message is displayed.

If the user doesn’t change his/her password with in the password expiration period, the user got the grace login period of about 30 days. During the grace login period the warning message, “Welcome <<UserName>>, You are in Grace Login period. Please change your password before <<YYYY-DDMM>>”.

If the “Password Expiration Date” is date empty or default value of “0000-00-00”. The warning message “Welcome <<UserName>>, Your Password Expired. Please change your password” is displayed.

If the user does not change his/her password during the Grace Login period, their user account is locked and the user will not be able to login and user account is moved to ‘Inactive’ state.

Later, the admin can activate his/her account by moving the “‘InActive’” state to “Active” and change the user password in “User Administration” page .

All above warning messages are displayed in new page. This new page is loaded only once at the top frame (instead of calendar) after a successful login by user.

Set the default $GLOBALS['password_expiration_days'] period, in days. if it is 0 this feature is disabled. The administrator can override this value when editing a user. Set the $GLOBALS['password_grace_time'] period in days, only when $GLOBALS['password_expiration_days'] is set to some values(like 180 days).

(c) The system should log the last three passwords and prevent reuse:

When user password is changed in “User Administration” or “Password Change” pages, entered password is compared with last three passwords of same user.

If the entered password is any of the last three passwords user is alerted with “Recent three passwords are not allowed.”

Set $GLOBALS['password_history'] = 1 to enable(0 to disable) password history feature in openemr.

Database Fields Introduced

Following fields are introduced in “users” table Password Expiration Duration => pwd_exp_duration Password Expiration Date => pwd_expiration_date Password History 1 => pwd_history1 Password History 2 => pwd_history2

Documents

1. SRS - http://www.openmedsoftware.org/wiki/File:PassStrengthSRS.pdf

2. Functionality Test Case Document - http://www.openmedsoftware.org/wiki/File:PassStrengthTC.pdf

3. Test Case Report - http://www.openmedsoftware.org/mw/images/3/34/PasswordStrengthening_TCReport_Updated.tar

Status

Completed by ViCarePlus Team, Visolve.

Checkin status - Committed to the Sourceforge CVS

Associated with SF forum: http://sourceforge.net/projects/openemr/forums/forum/202506/topic/3542453