New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Strengthen part of username and password creation process #2090

Open
danehrlich1 opened this Issue Jan 2, 2019 · 11 comments

Comments

Projects
None yet
3 participants
@danehrlich1
Copy link
Member

danehrlich1 commented Jan 2, 2019

This file is called when a user begins setting up OpenEMR for the first time: https://github.com/openemr/openemr/blob/master/setup.php

Make the following happen via HTML5 attributes:

  • initial user password min length of 12
  • database password min length of 12

Also:

  • the "initial user" of "admin" is too easy to guess
  • write a PHP function (or Javascript function, can be on the front end that is fine) that generates 3 random letters + "-admin-" + 2 random numbers
  • e.g: HLV-admin-87
  • then take this functions output and fill in the HTML for "initial user"
  • This will make bruteforce attacks against the login page approximately 1,700,000 harder at no real cost to the user (50% less extra characters than SSN or Phone Number)
  • make the username a minimum of 12 characters as well to ensure if they don't go with our randomized suggestion they still pick something with some complexity (enforce with html5)
@danehrlich1

This comment has been minimized.

Copy link
Member

danehrlich1 commented Jan 2, 2019

openemr7

@alpha-gamma

This comment has been minimized.

Copy link
Contributor

alpha-gamma commented Jan 2, 2019

I would like to take this up.

@danehrlich1

This comment has been minimized.

Copy link
Member

danehrlich1 commented Jan 2, 2019

reserved for you for the next week.

Thanks @alpha-gamma

@danehrlich1

This comment has been minimized.

Copy link
Member

danehrlich1 commented Jan 2, 2019

@alpha-gamma Last thing. After you're done, if you enjoy working on this let us know. Can always create more issues like this that are meant for people new to the project.

@alpha-gamma

This comment has been minimized.

Copy link
Contributor

alpha-gamma commented Jan 2, 2019

@danehrlich1 Should I update the help text message as well against the password fields?

image

@bradymiller

This comment has been minimized.

Copy link
Member

bradymiller commented Jan 2, 2019

hi @alpha-gamma ,
Yes, I would do that also (btw @danehrlich1 is out of town for couple days, and I'm happy to answer any questions and review the code).
thanks, -brady

@alpha-gamma

This comment has been minimized.

Copy link
Contributor

alpha-gamma commented Jan 2, 2019

@bradymiller Thanks for your input. I have created the PR.
I really enjoyed working on it and would like to contribute more to the project.

@bradymiller

This comment has been minimized.

Copy link
Member

bradymiller commented Jan 2, 2019

Hi @alpha-gamma ,

Nice work on the above code, which I just brought into codebase. Since we are here, the following would also make sense:
-Add a duplicate entry for each of the 2 password entries.
-Add realtime js to ensure that 2 passwords are incorporating numbers/letters/more than 12 chars/duplicate match.

If you don't want to work on this, just let me know, and I can point you to other things to work on (just let me know what you are interested in).

-brady

@bradymiller bradymiller reopened this Jan 2, 2019

@alpha-gamma

This comment has been minimized.

Copy link
Contributor

alpha-gamma commented Jan 2, 2019

Yep, it totally makes sense. I can work on it.

For validation, do we check for numbers and letters only or should we include checks for uppercase and lowercase letters as well?

@bradymiller

This comment has been minimized.

Copy link
Member

bradymiller commented Jan 2, 2019

Lets go all out and ensure both uppercase and lowercase letters :)

@danehrlich1

This comment has been minimized.

Copy link
Member

danehrlich1 commented Jan 20, 2019

@alpha-gamma How is this going?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment