Password plus: password history add on

arapoport · April 30, 2019, 2:42pm

Hi everyone,

I wrote a small add-on that enforces password history checking to an existing CUBA application ! It also adds password expiration as a schedule task. Have a look at it and enjoy !

Link to the component on CUBA Marketplace: https://cuba-platform.com/marketplace/pswd-plus/

AlexBudarov · April 29, 2019, 7:57am

Not trolling, but even Microsoft admitted that password expiration policies are useless and plans to get rid of them:

the company explained that password expiration is no longer a useful tool for preventing breaches, and it often causes more headaches than it’s worth

https://www.windowscentral.com/microsoft-drops-baseline-windows-10-password-expiration-policy

arapoport · April 29, 2019, 1:25pm

hahaha, you are absolutely right, I saw it…but tell it to the audit guys in pharma companies, they will not surrender so easy

mario · April 29, 2019, 1:53pm

I would argue, that it does not really matter and it should not be the first response from the community. As Alejandro mentioned: If there is a business need - there is value in it (to some people).

You could also apply the same argumentation for passwords in general. Or if not used with 2FA etc.

What it comes down to is that there are always a wide range of possible solutions. And it always depends on the context. So please let’s treat such an add-on contribution as what it is: a valuable thing to have in the ecosystem.

So thanks for your effort @arapoport

Bye
Mario

AlexBudarov · April 29, 2019, 2:32pm

Sure, and previous password history is valuable indeed.
My personal humble opinion is that passwords should be changed every few years (not months).

arapoport · April 29, 2019, 3:49pm

Thanks Mario !

The extension has also a class that could be set as a schedule task to expire old passwords, so the administrator can set the expiration period (not yet documented, I’m sorry) to fulfill any audit requirement.

For the records, I don’t believe in password expiration either (myPass1, myPass2, etc, is the norm for end users…). But the reality is that my CUBA-based solution has to comply with FDA’s 21 CFR part 11 (electronic signature) and that’s why I had to do it. Indeed, I had fun doing it as an independent add-on instead of monolitic and propietary.

At the end of the day, I’m very happy to reassure once again that CUBA can handle such requirements, some of them as a built-in feature and some, like this one, as an extension.

Alejandro

wjlee · August 27, 2020, 10:15am

Hi I would like to check on the password-plus(v1.1.0) add on,when i tested it doesn’t restrict me to change my password the previously use and also not prompt for change password after change password period is reach. I had set the usePswdExpiration and usePswdHistory to true. Is it something I still missed out from the configuration?

arapoport · August 27, 2020, 12:00pm

Hi,

There is a schedule tasks that should be configured properly in order to run the expiration check. Is it configured ?

wjlee · August 28, 2020, 3:27am

Hi, can you post again the image i can’t see from you post. May i have a sample how to configure a scheduler task?

arapoport · August 28, 2020, 10:54am

Configure a new schedule task as follow:

Defined by: bean
Bean name: pswdplus_ExpireService
Method name: expireOldPasswords()
Singleton: yes

Then, set a daily or hourly schedule, depending on your needs.

Alejandro