Magento – Magento Plugin Password Policy

extensionsmagento2passwordSecurity

Is there any magento plugin that has the features below:

force the user changed password in every 90 days.
change password must required min 8 char

Best Answer

Password lifetime

This is a standard feature of Magento 2 (CE + EE). In the system configuration there is a section for "security" (see "Advanced" > "Admin") where you can define the Password Lifetime in days (for example 90) and set the password change behaviour (forced or recommended).

Password length

The current minimum password length for admin users is 7 characters.

As far as I know there is currently no extension that sets the minimum password length to 8.

Related Solutions

Magento – password protection

You can write a small custom extension that checks if the user has permission to access the site.

Your config.xml would look something like this

<?xml version="1.0"?>
<config>
   <modules>
      <[Namespace]_[Module]>
         <version>1.0.0</version>
      </[Namespace]_[Module]>
   </modules>
   <global>
      <models>
         <[module]>
            <class>[Namespace]_[Module]_Model</class>
         </[module]>
      </models>
      <events>
         <controller_front_init_before>
            <observers>
               <[namespace]_[module]_access_observer>
                  <type>singleton</type>
                  <class>[Namespace]_[Module]_Model_Observer</class>
                  <method>checkAccess</method>
               </[namespace]_[module]_access_observer>
            </observers>
         </controller_front_init_before>
      </events>
   </global>
</config>

And your observer class something like this

class [Namespace]_[Module]_Model_Observer
{
   public function checkAccess()
   {
      $adminurl = (string)Mage::getConfig()->getNode('admin/routers/adminhtml/args/frontName');

      $urlstring = Mage::helper('core/url')->getCurrentUrl();
      $url = Mage::getSingleton('core/url')->parseUrl($urlstring);

      if (strstr($url->path, "/{$adminurl}"))   return $this; // this is the admin section

      // get admin session
      Mage::getSingleton('core/session', array('name' => 'adminhtml'))->start();

      $admin_logged_in = Mage::getSingleton('admin/session', array('name' => 'adminhtml'))->isLoggedIn();

      // return to frontend section
      Mage::getSingleton('core/session', array('name' => 'frontend'))->start();

      if (!$admin_logged_in)
      {
         die('No access!');
      }
   }
}

Magento – How to Force Admin User to Change Password

I went into one of our Enterprise installs to check this.

In app/code/core/Enterprise/Pci/Model/Observer.php there is a function called adminAuthenticate in the Observer.

public function adminAuthenticate($observer)
{

First, it updates the locking information:

    // update locking information regardless whether user locked or not
    if ((!$authResult) && ($user->getId())) {
        $now = time();
        $lockThreshold = $this->getAdminLockThreshold();
        $maxFailures = (int)Mage::getStoreConfig('admin/security/lockout_failures');
        if (!($lockThreshold && $maxFailures)) {
            return;
        }
        $failuresNum = (int)$user->getFailuresNum() + 1;
        if ($firstFailureDate = $user->getFirstFailure()) {
            $firstFailureDate = new Zend_Date($firstFailureDate, Varien_Date::DATETIME_INTERNAL_FORMAT);
            $firstFailureDate = $firstFailureDate->toValue();
        }

Then it determines if the admin account is locked out by checking the lockExpires field from admin_user against the current time.

    // check whether user is locked
    if ($lockExpires = $user->getLockExpires()) {
        $lockExpires = new Zend_Date($lockExpires, Varien_Date::DATETIME_INTERNAL_FORMAT);
        $lockExpires = $lockExpires->toValue();
        if ($lockExpires > time()) {
            throw new Mage_Core_Exception(
                Mage::helper('enterprise_pci')->__('This account is locked.'),
                self::ADMIN_USER_LOCKED
            );
        }
    }

Then it pulls the latest password and checks to see if the admin has to complete a forced password change.

$latestPassword = Mage::getResourceSingleton('enterprise_pci/admin_user')->getLatestPassword($user->getId());
    if ($latestPassword) {
        if ($this->_isLatestPasswordExpired($latestPassword)) {
            if ($this->isPasswordChangeForced()) {
                $message = Mage::helper('enterprise_pci')->__('Your password has expired, you must change it now.');
            } else {
                $myAccountUrl = Mage::getSingleton('adminhtml/url')->getUrl('adminhtml/system_account/');
                $message = Mage::helper('enterprise_pci')->__('Your password has expired, please <a href="%s">change it</a>.', $myAccountUrl);
            }
            Mage::getSingleton('adminhtml/session')->addNotice($message);
            if ($message = Mage::getSingleton('adminhtml/session')->getMessages()->getLastAddedMessage()) {
                $message->setIdentifier('enterprise_pci_password_expired')->setIsSticky(true);
                Mage::getSingleton('admin/session')->setPciAdminUserIsPasswordExpired(true);
            }
        }
    }

If the getPciAdminUserIsPasswordExpired session variable is set, then it is caught in the forceAdminPasswordChange function in controller_action_predispatch.

public function forceAdminPasswordChange($observer)
{
    if (!$this->isPasswordChangeForced()) {
        return;
    }
    $session = Mage::getSingleton('admin/session');
    if (!$session->isLoggedIn()) {
        return;
    }
    $actionList = array('adminhtml_system_account_index', 'adminhtml_system_account_save',
        'adminhtml_index_logout');
    $controller = $observer->getEvent()->getControllerAction();
    if (Mage::getSingleton('admin/session')->getPciAdminUserIsPasswordExpired()) {
        if (!in_array($controller->getFullActionName(), $actionList)) {
            if (Mage::getSingleton('admin/session')->isAllowed('admin/system/myaccount')) {
                $controller->getResponse()->setRedirect(Mage::getSingleton('adminhtml/url')
                        ->getUrl('adminhtml/system_account/'));
                $controller->setFlag('', Mage_Core_Controller_Varien_Action::FLAG_NO_DISPATCH, true);
                $controller->setFlag('', Mage_Core_Controller_Varien_Action::FLAG_NO_POST_DISPATCH, true);
            } else {
                /*
                 * if admin password is expired and access to 'My Account' page is denied
                 * than we need to do force logout with error message
                 */
                Mage::getSingleton('admin/session')->unsetAll();
                Mage::getSingleton('adminhtml/session')->unsetAll();
                Mage::getSingleton('adminhtml/session')->addError(
                    Mage::helper('enterprise_pci')->__('Your password has expired, please contact administrator.')
                );
                $controller->getRequest()->setDispatched(false);
            }
        }
    }

If the Admin user has a forced password flag set and is allowed to access My Account then they'll be able to update their password themselves. If not, then they'll be logged out with the message Your password has expired, please contact administrator.

Best Answer

Related Solutions

Magento – password protection

Magento – How to Force Admin User to Change Password

Related Topic