Stricter password policy (#648272)

The default password policy which applies to passwords to log in to the Web Client and CM/Track is stricter now. By default, passwords must contain the following:

• at least 7 characters

• at least one capital and one lower case letter

• at least one number

The regular expression in the system property policy.password.pattern from the module cmas-core-security has been updated accordingly. It is now ^(?=.*[0-9])(?=.*[A-Z])(?=.*[a-z]).{7,}$.

This value is set automatically for new systems and for updated system which did not have this property or had this property with the previous default value (^.{3,}$). The property is not modified for systems which already had a custom password policy.

The message which is displayed when a user tries to set a password which does not match the defined pattern in the Web Client can now be customized. The new label cmweb.auth.password.validation.failed has been added for this purpose. If the password policy has been adapted to the new default value, the value of the label is Please choose a password with a higher complexity. By default passwords should have a minimum length of 7 and use at least one capital letter, one small letter and one number. If the password policy has not been updated, the label is Please choose a password with a higher complexity..

For CM/Track, the message is defined in the client configuration, in the attribute password.pattern.violated of the public.json file.

The validation messages are displayed only when users change their own passwords in the Web Client and CM/Track. If you update the password of a user in the Web Admin Suite or Admin Tool, you must consider the password policy by yourself.

The password policy is not applied to passwords for CM/Track which are set on the contact page in the Web Client.