| Subject | Adding extra security to Friebird logins. |
|---|---|
| Author | norgepaul |
| Post date | 2003-10-22T13:59:56Z |
Hi,
We have a customer that has a whole bunch of security demands for our
Firebird powered application. I know it's a long shot, but can
anybody tell me whether or not the following demands (or some of them)
are possible by manipulating security.fdb or if any of the features
have been implemented in FB1.5 (Encrypted passwords?).
Any ideas would be much appreciated.
The demands are:
o Passwords shall be encrypted during transmission.
o Accounts that become inactive or unused must be suspended after
sixty (60) days, and, if they remain inactive, deleted after ninety
(90) days.
o Users shall be provided, initially and on a reset, with a temporary
password that they are required to change immediately. In order to
ensure calls for password reset are valid, user's identities must be
verified using information about the user that only the user would
know. Temporary passwords must be conveyed to users in a secure
manner.
o The number of unsuccessful logon attempts must be limited to five
(5) logins. After 5 consecutive unsuccessful logon attempts: 1)
record the unsuccessful attempt; and 2) inactivate the account for an
automated timeout/reset period of 30 minutes or greater, or in a
manner that requires a manual reset by the system administrator.
Passwords must have a minimum length of eight (8) characters.
Passwords must not contain more than two consecutive identical
characters.
o Passwords must not be reused for at least six (6) generations
(consecutive changes).
o Passwords must be changed when the system prompts, or at least
every sixty (60) days if the system does not prompt for a change.
Applications that utilize two-factor authorization are not required
to expire on a pre-defined schedule.
o An effective password management system or equivalent password
management methodology must be used to authenticate users.
Cheers,
Paul
We have a customer that has a whole bunch of security demands for our
Firebird powered application. I know it's a long shot, but can
anybody tell me whether or not the following demands (or some of them)
are possible by manipulating security.fdb or if any of the features
have been implemented in FB1.5 (Encrypted passwords?).
Any ideas would be much appreciated.
The demands are:
o Passwords shall be encrypted during transmission.
o Accounts that become inactive or unused must be suspended after
sixty (60) days, and, if they remain inactive, deleted after ninety
(90) days.
o Users shall be provided, initially and on a reset, with a temporary
password that they are required to change immediately. In order to
ensure calls for password reset are valid, user's identities must be
verified using information about the user that only the user would
know. Temporary passwords must be conveyed to users in a secure
manner.
o The number of unsuccessful logon attempts must be limited to five
(5) logins. After 5 consecutive unsuccessful logon attempts: 1)
record the unsuccessful attempt; and 2) inactivate the account for an
automated timeout/reset period of 30 minutes or greater, or in a
manner that requires a manual reset by the system administrator.
Passwords must have a minimum length of eight (8) characters.
Passwords must not contain more than two consecutive identical
characters.
o Passwords must not be reused for at least six (6) generations
(consecutive changes).
o Passwords must be changed when the system prompts, or at least
every sixty (60) days if the system does not prompt for a change.
Applications that utilize two-factor authorization are not required
to expire on a pre-defined schedule.
o An effective password management system or equivalent password
management methodology must be used to authenticate users.
Cheers,
Paul