As one of our customers migrated from their existing system to use Deveo, a thorough security audit concerning Deveo was conducted within the last couple months. The audit was conducted by WhiteHat security using their dynamic analysis. As we had predicted, there were no critical issues in the core functionality of Deveo. However, one functionality - default password strength - was raised as a potential issue.
Typical scenario for authentication in Deveo is to use corporate LDAP or Active Directory service. When using external directory service to handle authentication, the password policy is handled through the directory service in question. However, as some of our customers prefer to separate the development environment from the corporate network as described in a previous post, and thus use Deveo's local user database as authentication mechanism, providing stronger passwords became an evident need.
As Deveo needs to comply with the high security and privacy requirements set forth by our customers as well as we needed to comply with the security audit, we decided to tackle the password policy and password strength also for those Deveo instances using local Deveo user database. This will allow us to comply even with the most extreme security and privacy requirements. If you wish to read more about the different authentication mechanisms Deveo provides, please check our administrator guide.
Password policy configuration enhancements in Deveo 2.10.0
How we enhanced the password policy when using local Deveo user database is that we enabled more options in our configuration. Earlier we didn't have a setting to configure the policy for passwords, and this was sufficient. In order to align with more tighter security constraints, we decided to add the following configuration options to deveo.json:
- ability to configure the password length
- ability to configure the password validation format with a regular expression
- ability to configure the desired password strength entropy
With these settings we believe that we are able to support most of the scenarios regarding password policies among organizations.
How it works
We made the configuration of these policies as simple as we could. You can find the documentation to configure the policies in our administrator guide in detail, but as a short example one of our customers wanted to have a following policy for their passwords:
- Passwords needs to be at least 12 characters
- Passwords needs to contain both uppercase and lowercase letters and numbers
- Passwords must not match the user's email, username, first name or last name
We can accomplish this with the following configuration:
"password_validation_range": "12..100", "password_validation_format": "/(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).*/", "password_validation_entropy": 0
In the first line we configure the length of the password to be from 12 to 100 characters. In the second line we can configure the password to match a given regular expression, and in the third line we can configure the entropy check against username, email address, first name or last name using Levenshtein algorithm.
We tackled the policy side of local Deveo passwords with this enhancement, and we are going to tackle the process side later by enhancing the functionality to support password expiration and disallowing usage of old passwords. Stay tuned for more releases and features from the Deveo team in the near future!
Seamless software development.
Code management and collaboration platform with Git, Subversion, and Mercurial.