Developer forum

Forum » Development » Extending password requirements

Extending password requirements

Daniel Hollmann
Reply

Hi DW,

I have a question regarding the password requirement.
As part of security measures, our customer is looking to implement some new password requirements to ensure the safety of user accounts.

Our customer wants to ensure password security that goes beyond the high complexity setting in Dynamicweb.
Here are some of the requirements:
 

  • Different from the last 10 used passwords: We want to enforce a policy where users cannot reuse their last 10 passwords. This is to prevent password recycling and enhance password security.
  • At least annual password expiration: We would like to set a policy where users are prompted to change their password at least once a year. This is to ensure that passwords are regularly updated and not kept unchanged for prolonged periods.
  • Change password at first log-in (if set by an administrator - not relevant for this scope): We understand that this requirement may not be applicable to our CMS system, but we wanted to mention it for completeness. In case our system supports it, we would like to have the option for users to change their password at their first log-in, if set by an administrator.
  • Not follow a predictable pattern: Lastly, we want to ensure that passwords do not follow a predictable pattern, such as sequential numbers or repetitive characters. This is to prevent easily guessable passwords and enhance overall password security.


I don’t think this is achievable with DW’s extranet password security settings, and I’m not sure if its possible at all to look at the last 10 passwords in a custom solution?
Do you have any input to either how this could be done, or if it's even achievable ?

Best regards, Daniel


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Reply
This post has been marked as an answer

The only one Dynamicweb supports is the number of times a password can be used.

But you can create a notification subscriber using the Notifications.Standard.User.OnBeforeForgotPassword notification. You will get the new user in that notification and on the request.forms object you can find the password the user entered - and then validate it in the notification subscriber. But you have to make a response.end or a redirect or something to stop the new password feature to complete.

Votes for this answer: 1
 
Daniel Hollmann
Reply

Thanks for the clarification :)

 

You must be logged in to post in the forum