This article covers a Hippo CMS version 7.7. There's an updated version available that covers our most recent release.

Configure password safety validation and password expiration 

Since CMS 7.7

From Hippo CMS 7.7 rules can be configured to validate the security and expiration of passwords.

Passwords need to be secure, i.e. they should not be easy to guess. This page explains how to use and customize the password validation rules and password expiration behavior. By default these rules are not turned on and Hippo CMS 7.7 behaves the same as Hippo CMS 7.6.

Password safety validation

Passwords can be validated whenever an attempt is made to change them (either from the administration perspective or when using the change password shortcut on the dashboard perspective). Validation is performed by the password validation service, which can be configured at

/hippo:configuration/hippo:frontend/cms/cms-services/passwordValidationService

Each subnode represents an implementation of the interface 'org.hippoecm.frontend.plugins.cms.admin.password.validation.IPasswordValidator' and requires the property 'validator.class' that specifies the implementation class. The service expects these implementations to provide a constructor that takes an 'org.hippoecm.frontend.plugin.config.IPluginConfig' object as its single argument.

The service itself has a single configuration property 'password.strength' which is related to the concept of optional validators.

An optional 'IPasswordValidator' is one that returns true when its 'isOptional()' method is called. The 'password.strength' property controls how many of these optional validators must pass in order for the password to be valid. An error message is logged to the console if you configure a 'password.strength' that is larger than the number of optional validators that are configured.

The following password validators are available:

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.ContainsCapitalPasswordValidator
    Description: Password should contain at least one capital letter (A-Z)
    Optional: yes

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.ContainsDigitPasswordValidator
    Description: Password should contain at least one digit (0-9)
    Optional: yes

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.ContainsLowercasePasswordValidator
    Description: Password should contain at least one lower case letter (a-z)
    Optional: yes

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.ContainsSpecialCharacterPasswordValidator
    Description: Password should contain at least one of !, $, # or %
    Optional: yes

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.ContainsNoNamePasswordValidator
    Description: Password should not contain login name, first name or last name
    Optional: no

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.IsNoPreviousPasswordValidator
    Description: Password should not be the same as N previous passwords
    Optional: no
    Properties:

  • numberOfPreviousPasswords (Long)

  • org.hippoecm.frontend.plugins.cms.admin.password.validation.MinimalLengthPasswordValidator
    Description: Password should be at least N characters long
    Optional: no
    Properties:

  • minimallength (Long)

Password expiration

The repository can be configured to automatically disable user accounts based on the last modified time of the password. This is done by setting the property 'hipposys:passwordmaxagedays' on the node '/hippo:configuration/hippo:security'. When a password is changed through the CMS, the hipposys:user node will get an additional property 'passwordlastmodified'. From that moment on, the expiration date will be checked when the user logs in. If the password is expired the user will be disabled and can no longer log in.

Users can be informed that their password is about to expire by configuring the 'change password shortcut' plugin. In the plugin configuration at

/hippo:configuration/hippo:frontend/cms/cms-dashshortcuts/changePasswordShortcut

the property 'passwordexpirationnotificationdays' indicates how many days in advance the user should be notified that his password will expire. The default value is 3 days. During that period, a message in a large red font is displayed on the dashboard showing how much time is left.