Password plus: password history add on

Hi everyone,

I wrote a small add-on that enforces password history checking to an existing CUBA application ! It also adds password expiration as a schedule task. Have a look at it and enjoy !

Link to the component on CUBA Marketplace: Password-plus – CUBA Platform

1 Like

Not trolling, but even Microsoft admitted that password expiration policies are useless and plans to get rid of them:

the company explained that password expiration is no longer a useful tool for preventing breaches, and it often causes more headaches than it’s worth

1 Like

hahaha, you are absolutely right, I saw it…but tell it to the audit guys in pharma companies, they will not surrender so easy :wink:

I would argue, that it does not really matter and it should not be the first response from the community. As Alejandro mentioned: If there is a business need - there is value in it (to some people).

You could also apply the same argumentation for passwords in general. Or if not used with 2FA etc.

What it comes down to is that there are always a wide range of possible solutions. And it always depends on the context. So please let’s treat such an add-on contribution as what it is: a valuable thing to have in the ecosystem.

So thanks for your effort @arapoport :+1:

Bye
Mario

2 Likes

Sure, and previous password history is valuable indeed.
My personal humble opinion is that passwords should be changed every few years (not months).

1 Like

Thanks Mario !

The extension has also a class that could be set as a schedule task to expire old passwords, so the administrator can set the expiration period (not yet documented, I’m sorry) to fulfill any audit requirement.

For the records, I don’t believe in password expiration either (myPass1, myPass2, etc, is the norm for end users…). But the reality is that my CUBA-based solution has to comply with FDA’s 21 CFR part 11 (electronic signature) and that’s why I had to do it. Indeed, I had fun doing it as an independent add-on instead of monolitic and propietary.

At the end of the day, I’m very happy to reassure once again that CUBA can handle such requirements, some of them as a built-in feature and some, like this one, as an extension.

Alejandro

2 Likes

Hi I would like to check on the password-plus(v1.1.0) add on,when i tested it doesn’t restrict me to change my password the previously use and also not prompt for change password after change password period is reach. I had set the usePswdExpiration and usePswdHistory to true. Is it something I still missed out from the configuration?

Hi,

There is a schedule tasks that should be configured properly in order to run the expiration check. Is it configured ?

image.png

Hi, can you post again the image i can’t see from you post. May i have a sample how to configure a scheduler task?

Configure a new schedule task as follow:

Defined by: bean
Bean name: pswdplus_ExpireService
Method name: expireOldPasswords()
Singleton: yes

Then, set a daily or hourly schedule, depending on your needs.

Alejandro

The password history checking didn’t work in Platform 7.2, any solutions ?

Hi Kenneth,

It works on 7.2 but you have to check it out right from the repo:

Alejandro

1 Like

Thanks for your information, but after clone from the repo the following build error occur.


A problem occurred configuring root project ‘pswdplus’.
Could not resolve all artifacts for configuration ‘:classpath’.
Could not resolve com.haulmont.gradle:cuba-plugin:7.2.4.
Required by:
project :
Could not resolve com.haulmont.gradle:cuba-plugin:7.2.4.
Could not get resource ‘https://dl.bintray.com/aleksey-stukalov/cuba-components/com/haulmont/gradle/cuba-plugin/7.2.4/cuba-plugin-7.2.4.pom’.
Could not GET ‘https://dl.bintray.com/aleksey-stukalov/cuba-components/com/haulmont/gradle/cuba-plugin/7.2.4/cuba-plugin-7.2.4.pom’. Received status code 502 from server: Bad Gateway
Could not resolve com.jfrog.bintray.gradle:gradle-bintray-plugin:1.8.0.
Required by:
project :
Could not resolve com.jfrog.bintray.gradle:gradle-bintray-plugin:1.8.0.
Could not get resource ‘https://dl.bintray.com/aleksey-stukalov/cuba-components/com/jfrog/bintray/gradle/gradle-bintray-plugin/1.8.0/gradle-bintray-plugin-1.8.0.pom’.
Could not GET ‘https://dl.bintray.com/aleksey-stukalov/cuba-components/com/jfrog/bintray/gradle/gradle-bintray-plugin/1.8.0/gradle-bintray-plugin-1.8.0.pom’. Received status code 502 from server: Bad Gateway

Hi, it is related to the repositories, please see this: Important: shutdown of the Bintray and Jcenter repositories - #3

1 Like

Thanks a lot, the problem was solved.
But the latest CUBA version, Bcrypt is used, I require to rewrite the checking function as below.
Ref: Password hash mechanism - #3 от пользователя cklee

@Override
public boolean isPasswordInHistoryB(UUID userId, String newpassword) {
    boolean result = false;

    Transaction tx=persistence.createTransaction();

    EntityManager em=persistence.getEntityManager();
    Query query=em.createQuery("select ph.passwordHash from pswdplus$PasswordHistory ph where ph.user.id=:userId");

    query.setParameter("userId",userId);
    List<String> passwordhash = query.getResultList();
    tx.commit();

    long count = 0;
    if (passwordhash.size() > 0) {

        for (String h : passwordhash) {
            if (BCrypt.checkpw(newpassword, h)) // check password on password history
                count += 1;
        }
        if(count>0)
            result=true;
    }
    return result;

}

Yes, you are right. Other way to solve it is to configure your app to use the legacy encryption method, see:

https://doc.cuba-platform.com/manual-latest/app_properties_reference.html#cuba.legacyPasswordEncryptionModule