Release - To be Defined
Module:
Security
Summary:
Support a stronger Password Policy in "IdentityServer"
Ticket:
https://bigdigit.atlassian.net/browse/SSO-56
Detail:
We now support a stronger Password Policy in "IdentityServer"
Password length: Minimum password length is 8 characters and a maximum of 256 characters.
Password complexity: Requires both upper and lowercase character and both letters and numbers.
Module:
Security
Summary:
Implement "Change Password On Next Logon" feature
Ticket:
https://bigdigit.atlassian.net/browse/SSO-58
Detail:
Ability to force specific users to reset their password the next time they login.
The new password they enter must match our stronger password policy.
Module:
Security
Summary:
Notify user client side on strength of new password
Ticket:
https://bigdigit.atlassian.net/browse/SSO-112
Detail:
When a user is resetting their password, they are notified client side on the strength of their new password as they type it in terms of meeting the requirements of our new Password Policy.
By doing this we will be assisting users in ensuring they enter a strong password BEFORE it is submitted server side similar to how Google does it.
Module:
Security
Summary:
Security Enhancements for the "Reset Password" process
Ticket:
https://bigdigit.atlassian.net/browse/SSO-114
Detail:
We do NOT show the username anywhere in the email that gets sent to the user.
A token is enough to identify the user.
The following text is displayed at the bottom of the email:
“This link is only valid for 20 minutes.”
This will encourage the user to take action to complete the process.
The temporary reset token also means that if the mailbox is hacked later on, the token is of no use any more.
Once a user changes their password via the email link – we expire the link immediately.
If the time period since the user requested the password reset exceeds 20 minutes - we expire the link immediately.
If the email link has expired and the user clicks on the link:
We will show the following message: "Your reset link has expired or has already been used"
We do NOT show any information about the user that a potential hacker could use - E.G username