Password Policy

Enhance the CMS Console security by ensuring strong password policy in C1 CMS.

A password policy combines a set of rules that enhance security in various systems by having users come up with, and use, strong passwords.

In C1 CMS version 4.3 or later, you can enhance the CMS Console security by applying one or more password policy rules such as:

All the rules can be set in ~/App_Data/Composite/Composite.config below Composite.C1Console.Security.Plugins.PasswordPolicy/PasswordRules:

Each rule appears as an <add/> element where the name attribute specifies the rule's name and the type attribute the type that handles the rule. It also may include the rule's specific attributes.

<Composite.C1Console.Security.Plugins.PasswordPolicy passwordExpirationTimeInDays="0" passwordHistoryLength="0">
  <PasswordRules>
    <add name="MinimumLength" minLength="6" type="Composite.Plugins.Security.PasswordRules.MinimumLength.MinimumLengthPasswordRule, Composite" />
    <add name="EnforcePasswordHistory" type="Composite.Plugins.Security.PasswordRules.EnforcePasswordHistory.EnforcePasswordHistoryPasswordRule, Composite" />
    <!--add name="DifferentCharacterGroups" type="Composite.Plugins.Security.PasswordRules.DifferentCharacterGroups.DifferentCharacterGroupsPasswordRule, Composite" /-->
    <!--add name="DoNotUseUserName" type="Composite.Plugins.Security.PasswordRules.DoNotUseUserName.DoNotUseUserNamePasswordRule, Composite" /-->
  </PasswordRules>
</Composite.C1Console.Security.Plugins.PasswordPolicy>

Note. Every time you change a password rule by editing Composite.config, restart the server (Tools > Restart Server).

Password expiration

You can specify the password expiration time interval in days, for example, 30 days, after which the password will expire and the CMS Console user will be forced to change her or his password.

When trying to log in and entering the correct password that's expired, the user will be redirected to the Change Password page. If enabled, other password policy rules will applied to the new password.

The expiration time interval value is set in the passwordExpirationTimeInDays attribute of the <Composite.C1Console.Security.Plugins.PasswordPolicy> element.

<Composite.C1Console.Security.Plugins.PasswordPolicy 
    passwordExpirationTimeInDays="30" ...>
...
</Composite.C1Console.Security.Plugins.PasswordPolicy>
By default this value is set to 0, which means no password expiration.

Password history

Note. Starting from C1 CMS version 4.2 Update 2, all the passwords are stored as salted SHA256 hash values.

You can keep track of used password and specify how many most recently used passwords can't be reused when changing the password.

By default, the password history rule is enabled:

<PasswordRules>
	...
	<add name="EnforcePasswordHistory" 
		type="Composite.Plugins.Security.PasswordRules.EnforcePasswordHistory.EnforcePasswordHistoryPasswordRule, Composite" />
	...
<PasswordRules>

And by default, only the currently used password can't be reused when changing the password.

You can change the password history list's length - which is the minimum number of most recently used password not allowed for reuse - in the passwordHistoryLength attribute of the Composite.C1Console.Security.Plugins.PasswordPolicy element.

<Composite.C1Console.Security.Plugins.PasswordPolicy ... 
passwordHistoryLength="10">

Note. When setting the history length value, note that the history list will include the currently used password, too. So by setting the length to 10, you'll actually get 11 recently used passwords: 10 + 1 (the current one).

By default this value is set to 0, which means the currently used password can't be reused.

Password length

By default, the password length rule is enabled and requires that the password is at least 6 characters long.

You can change this value to your own by setting the required number of characters in the minLength attribute of the corresponding "MinimumLength" rule.

<PasswordRules>
	<add name="MinimumLength" 
		minLength="16" 
		type="Composite.Plugins.Security.PasswordRules.MinimumLength.MinimumLengthPasswordRule, Composite" />
	...
<PasswordRules>

Different character groups

This rule ("DifferentCharacterGroups") requires using at least 3 out of the following 4 character groups when changing passwords:

  • lower-case letters (abc etc)
  • upper-case letters (ABC etc)
  • numeric characters (123 etc)
  • special characters (!@#$%&/=?_.,:;-\ etc)

By default this rule is disabled (commented out below <PasswordRules>). To enable the rule, uncomment it or add it anew as follows:

<PasswordRules>
    <add name="DifferentCharacterGroups"
        type="Composite.Plugins.Security.PasswordRules.DifferentCharacterGroups.DifferentCharacterGroupsPasswordRule, Composite" />
    ...
<PasswordRules>

Disallow using usernames in passwords

The "DoNotUseUserName" rule forbids using passwords that contain the username, for example, john / john123.

By default this rule is disabled (commented out below <PasswordRules>). To enable the rule, uncomment it or add it anew as follows:

<PasswordRules>
	<add name="DoNotUseUserName" 
		type="Composite.Plugins.Security.PasswordRules.DoNotUseUserName.DoNotUseUserNamePasswordRule, Composite" />
	...
<PasswordRules>