Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Update minimum password requirement to at least 12 characters #7358

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix: Update minimum password requirement to at least 12 characters #7358

wants to merge 1 commit into from

Conversation

dbaidya9006
Copy link

Fixes #7357

Short description of what this resolves:

OpenEMR allows passwords at least 9 characters in length. To meet the ASVS 2.1.1 requirement, passwords under 12 characters should not be allowed. Additionally, OpenEMR does not have any constraints for the ‘password’ attribute of the ‘users_secure’ table to prevent bypassing the front-end validation and storing a password that does not meet minimum character requirements.

After update:
Screenshot of creating a new user with an 11-character password with a 12-character minimum password requirement enforced:
image

Screenshot of changing a password to a 11-character password with a 12-character minimum password requirement enforced:
image

Screenshot of adding a new row to the users_secure table with an 11-character password to the running database with a constraint enforcing a 12-character minimum length for the password attribute:
image

Changes proposed in this pull request:

  1. In globals.inc.php, update the default value for the global variable ‘gbl_minimum_password_length’ from ‘9’ to ‘12’. This variable is used in ‘AuthUtils.php’ to enforce a minimum password length requirement on the front-end.
  2. In database.sql, add a constraint to the ‘password’ attribute of the ‘users_secure’ table to complete a check of the length of the password entered and confirm it is greater than or equal to 12. OpenEMR hashes the password entered in the application before storing the value in the database, so passwords should be much greater than 12 characters when saved from the front-end; however, if a user identifies a way to bypass the front-end validation to create/update a user (such as using a REST API endpoint), then the constraint on the attribute within MySQL will still preserve the minimum password requirement. This ensures OpenEMR does not solely rely on the front-end validation to protect the minimum password length requirement.

@bradymiller
Copy link
Sponsor Member

hi @dbaidya9006 ,

  1. Doesn't NIST still only recommend 8 or greater for password size? Not against going to 12, but would check other standards to get an idea of where they all lie before making a decision on this.
  2. Also no reason for the database constraint since it stores a hash that is always > 12. And a user would not be able to log in if there was not a hash stored there.

@adunsulag adunsulag added the WaitingForInfo This will put in queue for stale bot label Apr 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
WaitingForInfo This will put in queue for stale bot
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bug: Minimum password requirement is less than 12 characters
3 participants
@dbaidya9006 @bradymiller @adunsulag