20210914 - IdentityServer Security Enhancements

Owned by Mark Blair (Unlicensed)
Last updated: Sept 09, 2021
2 min read

Release - 14th September 2021

Module:
Security

Summary:
Support a stronger Password Policy in "IdentityServer"

Ticket:
https://bigdigit.atlassian.net/browse/SSO-56

Detail:

We now support a stronger Password Policy in "IdentityServer"

Password length: Minimum password length is 8 characters and a maximum of 256 characters.

Password complexity: Requires both upper and lowercase character and both letters and numbers.

Module:
Security

Summary:
Implement "Change Password On Next Logon" feature

Ticket:
https://bigdigit.atlassian.net/browse/SSO-58

Detail:

Ability to force specific users to reset their password the next time they login.

The new password they enter must match our stronger password policy.

Module:
Security

Summary:
Notify user client side on strength of new password

Ticket:
https://bigdigit.atlassian.net/browse/SSO-112

Detail:

When a user is resetting their password, they are notified client side on the strength of their new password as they type it in terms of meeting the requirements of our new Password Policy.

By doing this we will be assisting users in ensuring they enter a strong password BEFORE it is submitted server side similar to how Google does it.

Module:
Security

Summary:
Security Enhancements for the "Reset Password" process

Ticket:
https://bigdigit.atlassian.net/browse/SSO-114

Detail:

  • We do NOT show the username anywhere in the email that gets sent to the user.

    • A token is enough to identify the user.

  • The following text is displayed at the bottom of the email:

    • “This link is only valid for 20 minutes.”

    • This will encourage the user to take action to complete the process.

    • The temporary reset token also means that if the mailbox is hacked later on, the token is of no use any more.

  • Once a user changes their password via the email link – we expire the link immediately.

  • If the time period since the user requested the password reset exceeds 20 minutes  - we expire the link immediately.

  • If the email link has expired and the user clicks on the link:

    • We will show the following message: "Your reset link has expired or has already been used"

    • We do NOT show any information about the user that a potential hacker could use - E.G username