Skip to Content

6.2.5. Password policies

<< Prev   Next >>

6.2.5.1. General information

Depending on the infobase and the user access level, requirements for complexity, uniqueness, and lifetime of the password might change. For example, some users can use simple passwords with a certain number of characters, but other users require complex passwords with a certain lifetime.

For this purpose, 1C:Enterprise provides password policies. A password policy is a set of rules aimed at enhancing the infobase security by establishing requirements for user passwords.

You can set a password policy both for the entire infobase and for specific users. If you configure a password policy for the entire infobase, use the dialog box for editing infobase parameters. This dialog box uses the Password policies group that contains a set of parameters. The same set of parameters will be used to access the application using 1C:Enterprise language. In this case, the UserPasswordPolicy object is used. In the dialog box, each parameter has a property name of the UserPasswordPolicy object.

6.2.5.2. Password policy parameters

Parameters that describe a user password policy:

Password complexity check (PasswordStrengthCheck) parameter

When this parameter is enabled, user passwords must meet the following requirements:

  • Password length must not be less than the Minimum password length parameter value.
  • Password must include characters from at least three of the following groups:
    • Uppercase letters
    • Lowercase letters
    • Digits
    • Special characters
  • Password must not match the username.
  • Password must not be an alphabetical sequence of characters.

Enabling these restrictions for infobase user passwords does not affect the existing passwords. Restrictions will be applied only after the current password is changed or a new infobase user is added. However, password verification is performed according to the current infobase settings. In particular, this means case-sensitivity check is enabled for passwords when Password complexity check is enabled.

For example, if the user password is PaSs and the Password complexity check parameter is disabled, the user can enter their password as pass, PASS, or PasS, and still be able to sign in. After enabling Password complexity check parameter, the user cannot sign in until they enter the case-sensitive password PaSs.

Minimum password length (PasswordMinLength) parameter

Defines the minimum length of a user password. If Password complexity check is enabled, the minimum length of the user password is 7 characters.

Maximum user password lifetime (PasswordMaxEffectivePeriod) parameter

Defines a period after which you need to change the password. The "period" denotes a time interval from the moment the current password is set. The specified time interval is set in seconds.

If you set the parameter to 0, it will not result in any actions.

Minimum user password lifetime (PasswordMinEffectivePeriod) parameter

Defines a period before which you will not be able to change the password. The "period" denotes a time interval from the moment the current password is set. The specified time interval is set in seconds.

If you set the parameter to 0, it will not result in any actions.

Password expiration notification period (PasswordExpirationNotificationPeriod) parameter

The parameter specifies a time interval before the current password expiration when the application starts notifying the user that they need to change the password. The specified time interval is set in seconds.

If you set the parameter to 0, it will not result in any actions.

Deny password reuse among recent ones (PasswordReuseLimit) parameter

With this parameter, you can specify how many recent passwords the application will use when verifying the uniqueness of the new password. For example, if the parameter value is set to 5, the new password must not match any of the last 5 passwords of this user.

If you set the parameter to 0, it will not result in any actions.

6.2.5.3. Password policy and 1C:Enterprise language

6.2.5.3.1. Changing the infobase password policy

The password policy can be applied for the infobase and for a specific user. If you need to change password policy parameters for the infobase, you can use the following 1C:Enterprise language methods:

  • Password complexity check. GetUserPasswordStrengthCheck()/SetUserPasswordStrengthCheck().
  • Minimum password length. GetUserPasswordMinLength()/SetUserPasswordMinLength().
  • Maximum user password lifetime. GetUserPasswordMaxEffectivePeriod()/SetUserPasswordMaxEffectivePeriod().
  • Minimum user password lifetime. GetUserPasswordMinEffectivePeriod()/SetUserPasswordMinEffectivePeriod().
  • Password expiration notification period. GetUserPasswordExpirationNotificationPeriod()/SetUserPasswordExpirationNotificationPeriod().
  • Deny password reuse among recent ones. GetUserPasswordReuseLimit()/SetUserPasswordReuseLimit().
6.2.5.3.2. User password policy

To assign different policy sets to different users, use software tools for policy operations. These operations are based on the UserPasswordPolicy object. It contains properties that are identical to properties of the dialog box to edit infobase parameters. Besides, the UserPasswordPolicy object has the Name property that allows you to specify a unique name for a policy. With this object, you can also use the Write() and Delete() methods to perform the same-name operations.

To access the policy operation tool, use the UserPasswordPolicies global context property. This property gives you access to the manager of the user password policy. With this manager, you can use password policies of the current infobase and check whether the password complies with a certain policy. To call a manager method, use a command of the UserPasswordPolicies.Method() type. Let us take a closer look at the manager capabilities:

  • GetPolicies(). Returns an array of objects of the UserPasswordPolicy type that contains a list of saved policies.
  • FindByName(). Finds a user password policy with a specified name. Each policy has a unique name.
  • CreatePolicy(). Creates a new object of the UserPasswordPolicy type.
  • CheckPasswordComplianceWithPolicy(). Checks whether the password specified as a method parameter complies with the password policy.

Let us take a look at what the CheckPasswordComplianceWithPolicy() method does. The method receives a password to check as a required parameter with the Password name. If other parameters are not specified, the password is checked for compliance with the password policy set for the entire infobase. If the Policy parameter is set along with the password, the password is checked for compliance with the password policy specified in the parameter. If the InfoBaseUser parameter is also specified, the method checks the password reuse restriction by the user password history.

As a result, the method returns the PasswordPolicyComplianceCheckResult system enumeration array. If the array is empty, the password meets the existing requirements. In general, there can be several reasons why a password does not comply with the policy. That is why, the method result is an array with all the reasons for password non-compliance with the policy. A system enumeration includes the following values:

Value

Description

DoesNotSatisfyMinLengthRequirements

The password length is shorter than the minimum user password length (the Minimum password length/PasswordMinLength parameter).

DoesNotSatisfyReuseLimitRequirements

The password matches one of the recent user passwords. You can specify the number of passwords to check in the policy settings (the Deny password reuse among recent ones/PasswordReuseLimit parameter).

DoesNotSatisfyComplexityRequirements

The password does not pass the password complexity check (the Password complexity check/PasswordStrengthCheck parameter).

To specify a password policy different from the infobase policy for a certain user:

  1. Create a new password policy with required settings. Save the policy in the infobase.
  2. Find a user by name or UUID.
  3. Set the created policy name to the PasswordPolicyName property of the InfoBaseUser object.
  4. Save the user in the infobase.
6.2.5.3.3. Setting a password change date

An object that describes an infobase user has some properties related to user password policies. Such properties include:

  • PasswordSettingDate. If the user has the Administration right, this property allows them to find out password change date and time. Otherwise, this property contains an empty date.
  • WritablePasswordSettingDate. This property allows you to specify password change date and time.

Let us take a look at how you can set a value for the PasswordSettingDate property:

  • The WritablePasswordSettingDate property is changed:
    • Data is written on behalf of a user with the Administration right:
      • The PasswordSettingDate property is set to the WritablePasswordSettingDate property value.
    • Data is written on behalf of a user without the Administration right. A new user is created or data is changed for a user who executes the code in 1C:Enterprise language:
      • If the password is changed or a new user is written, the PasswordSettingDate property receives a date and time when the InfoBaseUser object was written as a value.
  • The WritablePasswordSettingDate property is not changed:
    • If the password is changed, the PasswordSettingDate property receives a date and time when the InfoBaseUser object was written as a value.

Note that the PasswordSettingDate property will not change if one of the following properties is changed before the InfoBaseUser object is written: Password, StoredPasswordValue, or WritablePasswordSettingDate. To get an actual password change date after the object is written, receive the object from the user list again (reread the user information).

6.2.5.3.4. Setting user password

To set a user password, you can use the following properties of the InfoBaseUser object:

  • Password. Allows you to specify a new user password. This property is write-only.
  • StoredPasswordValue. Contains user password hash. This property is available for writing and reading. Note that you cannot recover the password value by the hash. You can use the property when you need to copy the current user list and set passwords to another infobase.

If the Password and StoredPasswordValue properties are set when the InfoBaseUser object is written, the Password property value will be written to the infobase, and the StoredPasswordValue property value will be ignored and filled with a hash function value from the Password value. If only the StoredPasswordValue property is changed when the InfoBaseUser object is written, this value will be written to the infobase.

<< Prev   Next >>

Icon/Social/001 Icon/Social/006 Icon/Social/005 Icon/Social/004 Icon/Social/002