Hi All,
As a part of PCI DSS version 2.0 compliance there are some features available OOTB in Ofbiz These features will help organizations using Ofbiz to get PCI Compliance of the application. However there are many more features that are required to be built within Ofbiz. One of such comprehensive feature is "Password Management". Some of the broad requirements from PCI DSS perspective for this specific feature are: - Verify user identity before performing password resets. - Set passwords for first-time use and resets to a unique value for each user and change immediately after the first use. - Change user passwords at least every 90 days. - Require a minimum password length of at least seven characters. - Use passwords containing both numeric and alphabetic characters. - Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. - Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID. Password Management is not available OOTB in Ofbiz. The Plan is to build this feature and get this implemented in Ofbiz. I was looking at the various Password Management features available in Apache products. Few are: 1) http://archiva.apache.org/docs/1.1.3/adminguide/customising-security.html 2) https://cwiki.apache.org/SYNCOPE/policies.html Would like to hear from all of you on what will be the best approach in building this feature called "Password Management" in Ofbiz -- Gaurav =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you |
Actually, OFBiz already supports this stuff and has been through many different PCI audits. As a starting point, for configuration options see the security.properties file. -David On Jul 3, 2012, at 5:16 AM, Gaurav23 A wrote: > Hi All, > > As a part of PCI DSS version 2.0 compliance there are some features > available OOTB in Ofbiz These features will help organizations using Ofbiz > to get PCI Compliance of the application. However there are many more > features that are required to be built within Ofbiz. One of such > comprehensive feature is "Password Management". Some of the broad > requirements from PCI DSS perspective for this specific feature are: > > - Verify user identity before performing password resets. > - Set passwords for first-time use and resets to a unique value for each > user and change immediately after the first use. > - Change user passwords at least every 90 days. > - Require a minimum password length of at least seven characters. > - Use passwords containing both numeric and alphabetic characters. > - Do not allow an individual to submit a new password that is the same as > any of the last four passwords he or she has used. > - Set the lockout duration to a minimum of 30 minutes or until > administrator enables the user ID. > > Password Management is not available OOTB in Ofbiz. The Plan is to build > this feature and get this implemented in Ofbiz. I was looking at the > various Password Management features available in Apache products. Few > are: > > 1) > http://archiva.apache.org/docs/1.1.3/adminguide/customising-security.html > 2) https://cwiki.apache.org/SYNCOPE/policies.html > > Would like to hear from all of you on what will be the best approach in > building this feature called "Password Management" in Ofbiz > > -- Gaurav > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > > |
Free forum by Nabble | Edit this page |