Sitecore Ordercloud

Configuring Custom Password Security

Suggest an edit
Miranda Posthumus

Updated by Miranda Posthumus

March 1st, 2021

As part of our ongoing commitment to security we have released an enhanced password security feature to give you greater control over password requirements for users of your applications. This guide will walk you through the new model properties and provide details on how to configure them.

The release of the new feature will be followed by an OrderCloud-wide enforcement of a more secure password policy than the one that exists today. This is a planned change that encompasses the latest recommendations from security industry experts. This change may impact your users when they attempt to login or change their password; it is important that you implement password configurations and test your applications against the forthcoming policy to make any necessary updates to your code prior to enforcement on June 1, 2021.

New Minimum Password Requirements

Beginning on June 1, 2021 OrderCloud will enforce the following minimum password requirements for all users in all applications. These new requirements were applied immediately to any marketplace created after March 1, 2021:

  • Minimum length 10 characters
  • 1 uppercase character (A-Z)
  • 1 lowercase character (a-z)
  • 1 digit (0-9)
  • 10 allowed failed authentication attempts followed by a 2 minute lockout period

You can configure your own custom minimum password requirements as long as they meet the following guidelines:

  • Minimum length 10 characters
  • At least 3 of the following:
    • 1 uppercase character (A-Z)
    • 1 lowercase character (a-z)
    • 1 digit (0-9)
    • 1 special character (!@#$%^&*, etc.)

In addition, the following rule applies (if not otherwise configured):

  • 10 allowed failed authentication attempts followed by a 2 minute lockout period

Exploring the new Model Properties

Every security profile has a PasswordConfig object available on it. In order to enforce a minimum password configuration for all users assigned to that security profile, you just need to populate the values with your desired password policy.

  • MinimumCharacterCount (int) - The minimum length of a password.
  • NumericRequired (bool) - Require at least 1 digit (0-9).
  • SpecialCharacterRequired (bool) - Require at least 1 special character (!@#$%^&*, etc.)
  • LowerCaseRequired (bool) - Require at least 1 lower case character.
  • UpperCaseRequired (bool) - Require at least 1 uppercase character.
  • AllowedFailedAttempts (int?) - The number of failed attempts (1-9) before the account is Locked for the LockoutDuration.
  • LockoutDuration (int?) - The number of minutes (between 10-1440) an account is locked after AllowedFailedAttempts is reached.
  • MaximumPasswordAge (int?) - The maximum number of days (between 1-365) allowed to pass before a user will be forced to change their password.
  • MinimumPasswordAge (int?) - The minimum number of minutes (between 0-60) allowed between changing passwords. Most often used in conjunction with LimitPasswordReuse to prevent a user from changing their password many times in a row to effectively use the same password over and over.
  • LimitPasswordReuse (int?) - The number of passwords, including the current password, that are blocked from reuse. For example, if set to 1, any password except the current one can be reused.
  • MaxConsecutiveDupeChars (int?) - The maximum number of consecutive repeating characters (between 0-24) in a password. If set to 2, a password of “sk8jyyy1!” would be invalid due to having 3 consecutive “y” characters.

Creating and testing your first Security Profile PasswordConfig

The security profile created in the snippet below meets all of the new minimum password security requirements that will be enforced beginning June 1, 2021.

POST v1/securityprofiles
{
  "ID":"password-config",
  "Name":"Password Config Profile",
  "Roles":[],
  "CustomRoles":[],
  "PasswordConfig": {
      "MinimumCharacterCount":10,
      "NumericRequired": true,
      "UpperCaseRequired": true,
      "SpecialCharacterRequired": true
    }
  }
}

Before you assign your new profile to an organization, group, or user, make sure you have a user created with a password that does not meet the new requirements. Once you have that information attempt to authenticate as that user via POST oauth/token, you will receive 400 error back from OrderCloud with information on this specific user's minimum password requirements. You'll need to handle this error and display the information to the user and direct them to go through the normal password reset flow.

{
	"error": "invalid_grant",
	"error_description": "Password does not meet security requirements.",
	"Errors": [
        {
            "ErrorCode": "PasswordReset.InsecurePassword",
            "Message": "Password does not meet security requirements.",
            "Data": {
	        "MinimumCharacterCount": 10,
                "UpperCaseRequired": true,
                "SpecialCharacterRequired": true,
                "NumericRequired": true
            }
        }
    ]
}

When a user is going through the password reset flow by calling PUT v1/password/reset/{verificationCode}, a similar error will be returned that you can reference and display in a friendly manner to the user.

If you want one profile to manage your password configuration settings separate from your profiles that manage roles, it's perfectly valid to create a security profile without roles and then assign it to all of the organizations in your marketplace. You may also choose to build the configs directly into existing security profiles by calling PATCH v1/securityprofiles/{securityprofileID} with a corresponding request body.

There is no limit on the number of security profiles with password configurations you can have. Be sure to check out the section below for information on what happens if a user is assigned multiple security profiles with different password configurations.

Things to note

  • If your PasswordConfig options are not set, or are less secure than OrderCloud’s minimum requirements (see below), the OrderCloud minimum requirements, once in effect, will supersede your configuration and be applied instead.
  • If a user is assigned to more than one security profile containing different PasswordConfig options, the configurations will be combined, and the strictest options will apply. Here's an example to help you get an idea of how this works in practice:

SecurityProfile1 has the following configuration:

{
    "PasswordConfig": {
	    "MinimumCharacterCount":10,
	    "MaxConsecutiveDupeChars": 1
    } 
}

SecurityProfile2 has a different configuration:

{
    "PasswordConfig": {
	    "MinimumCharacterCount":12,
	    "MaxConsecutiveDupeChars": 3
    } 
}

If both security profiles are assigned to the same user (or any group or organization they belong to), the actual values that apply to the user are the combined most restrictive configuration values from all assigned security profiles, which are:

{
    "PasswordConfig": {
	    "MinimumCharacterCount":12,
	    "MaxConsecutiveDupeChars": 1
    } 
}