Password Requirements

Password Restriction Configuration

N2FE has the ability to configure rules regarding ACS, SMS and Service Number passwords. When passwords are set through N2FE these rules are adhered to by the system, ensuring that users can choose only secure passwords for their accounts.

Note that the OCNCC system will not honor these requirements.

Available Rules

The rules that may be set include a combination of the following:

Configuration

Within the habitat, the section password_requirements must be configured to build a set of rules for SMS, ACS and Service Number passwords. The section in the configuration has the following structure:

"password_requirements" : {
    "SMS" : {
        // rules
    },
    "SN" : {
        // rules
    },
    "ACS" : {
        // rules
    }
}

In each subsection, //rules is to be replaced with the following options:

Rule Name Description
minimum_length The minimum length of password to be accepted. This should be set to at least 1.
maximum_length The maximum length of password to be accepted. Note that SMS and ACS passwords have a fixed database length of 50 characters, while Service Numbers must have a password 16 characters or less.
maximum_consecutive_characters The maximum number of consecutive characters of a single type, where the character types are uppercase and lowercase letters, numeric letters and special characters.
required_uppercase_character Whether passwords require an uppercase letter or not.
required_lowercase_character Whether passwords require a lowercase letter or not.
required_numeric_character Whether passwords require a numeric digit or not.
required_special_character Whether passwords require a special character or not.

The following is an example configuration for setting password requirements. Each field is required in n2fe.xml
"password_requirements": {
    "SMS": {
        "minimum_length" : 6
        , "maximum_length" : 50
        , "maximum_consecutive_characters" : 0
        , "required_uppercase_character": true
        , "required_lowercase_character": true
        , "required_numeric_character": true
        , "required_special_character": false
    },
    "SN": {
        "minimum_length": 4
        , "maximum_length" : 16
        , "maximum_consecutive_characters": 0
        , "required_uppercase_character": false
        , "required_lowercase_character": false
        , "required_numeric_character": true
    },
    "ACS": {
        "minimum_length": 6
        , "maximum_length" : 50
        , "maximum_consecutive_characters": 0
        , "required_uppercase_character": true
        , "required_lowercase_character": true
        , "required_numeric_character": true
        , "required_special_character": false
    }
}

Enforcing ACS User Password Encryption

ACS by default stores acs user passwords in the acs_user table unencrypted. To enable ACS user password encryption, configure the N2FE Jarvis login parameter encrypt_acs_user_passwords to be 1, rather than 0:

<jarvis>
  <app>
    <login module="LoginSMF">
      <!-- many other options exist ... -->

      <parameter name="encrypt_acs_user_passwords" value="1"/>
    </login>
  </app>
</jarvis>

When enabling encrypted ACS user passwords, is crucial to run the following SQL against the SMF database first:

alter trigger smf.ACS_USER_ABT disable;
alter trigger smf.ACS_USER_AAT disable;
alter table acs_admin.acs_user modify password char(66 char);
alter trigger smf.ACS_USER_AAT enable;
alter trigger smf.ACS_USER_ABT enable;
alter package acs_admin.acs compile;
alter package acs_admin.acs compile body;

The default size of the acs_user.password column is 50 characters, which is insufficient to store the N2FE-encrypted passwords. Encrypted password data is exactly 66 characters in length.

NOTE If encrypted ACS user passwords are enabled, ACS users will not be able to log in via the standard NCC ACS user screens. The ACS user screens compare passwords in an unencrypted form only. However each ACS user is considered independently, so it is possible to run two sets of users in parallel if required for testing and migration purposes.

ACS users will have their password updated on first login to N2FE. After logging in to N2FE for the first time, their password will be encrypted.

Any ACS user created via N2FE will have their password automatically encrypted, however any ACS user created via the NCC User Screens will have their password stored unencrypted. If a user’s passord is updated vi the NCC user screens, the password will be stored unencrypted also (until such time as that ACS user logs in to N2FE).