Hi,
We use OJS 3.1.1-1 at university of Bordeaux in France.
Our chief information security officer (CISO) has a few concern about the registration method of users in OJS.
- Self registration
User completes a form with some required fields.
Required fields are: First Name, Last Name, Affiliation, Country, Login, Email, Username, Password
Not required fields is: Middle Name
He has to agree to have his data collected and stored according to the Policy Statement to complete his registration
He chooses a username and a password. Password needs to have at least 6 characters. There is no obligation to have a combination of lower/upper case, numeric/letter, special character
Then he receive an email with a link to validate his email account.
Comment of our CISO:
- 6 characters for a password is too low to have strong password. It would be also better to obligation to have a combination of lower/upper case, numeric/letter, special character
- Registration of a user by the manager or a person with an editor role
To register a user, the Manager completes a form with some required fields which are not the same than for self registration.
Required fields are: First Name, Last Name, Login, Email, Username, Password
Not required fields is: Middle Name, Affiliation, Country, etc.
The Manager choose the password or generate random password for this user.
He can choose that User must change password on next log in and Send user a welcome email.
If Manager choosed to send user a welcome email to user, the user receives an email with his username and his new password in “plain-text”
Comment of our CISO:
- Same comment for the password pattern
- It’s not logical that required fields are not the same than for self registration
- It’s no secured to send a “plain-text” password by email to the user. It would be better to send to the user an email with a non-replayable link with a link to validate his email account like for self-registration.
- User hasn’t the opportunity to agree to have his data collected and stored according to the Policy Statement to complete his registration and he should have it like for self-registration.
- Reset Password
User completes a form with his email address and he receives an email with a link to reset his password.
When he clicks on the link, he receives an email with his username and his new password in “plain-text”
Comment of our CISO:
- It’s no secured to send a “plain-text” password by email to the user. It would be better to send to the user an email with a non-replayable link that allows him to complete a new password online
- Password Encryption
I read this in OJS forum:
Passwords will automatically be updated to a modern hash rather than the old md5 and sha1 hashes as they are used (or as new ones are created). The encryption option in config.inc.php is only relevant for legacy password hashes which haven’t been upgraded yet (because the user hasn’t logged in).
Questions of our CISO:
- What is the modern hash method now used by OJS ?
- How do we manage old account which haven’t been upgraded yet ? Do we have to keep in database their old encrypted password and possibly leave a security breach and do we have to wait they log in to change the encryption of their password with the new method ?
Thanks in advance for all your answers.
Best regards
Helene