We recently implemented some new security features for OpenProject 3.0 we are currently developing. These security features aim to improve the security of OpenProject installations and make OpenProject more compliant with corporate security requirements.

The following list of features is a preview of the account security features to come.

Password Brute Force Prevention

OpenProject now blocks a user account when a lot of login attempts fail within a short time. The number of failed logins until an account is blocked and the block duration is configurable. The default is very conservative to prevent users who are not aware of this feature from locking themselves out for a long time. Thus, a user is blocked for 30 minutes after 20 failed login attempts by default. This is still enough to prevent an automated attack from being successful on a reasonably complex password.

Assignment of a random password to a user

Before, when automated password reset via e-mail was disabled, the only way a user’s password could be reset was an admin setting a new password. People entering (hopefully temporary) passwords tend to choose poor passwords. Thus, OpenProject now has a feature that allows administrators assigning a random password to a user sent via e-mail. Additionally, assigning a random password also forces the user to change the randomly assigned password on the next login.

Disable Browser autocompletion for sensitive fields

Most popular browsers offer saving login passwords. These passwords are often stored on disk without significant protection, i.e. not protected by a ‘master password’ and can be extracted easily. Thus, OpenProject deactivates this browser function for certain fields, for example username and password fields.

Password Complexity Enforcement

The default minimum password length is increased from 4 to 10 characters. While the brute force prevention hinders attackers from trying lots of passwords on the OpenProject server, passwords should still be protected when the database is compromised. Passwords with 8 characters can be cracked in reasonable time, so OpenProject uses 10 characters as minimum length to have a little margin. This won’t automatically change for existing installations with manually set values. Besides increasing the default minimum password length, OpenProject now also allows requiring certain character classes like lowercase, uppercase, and number being present in passwords. All of this is configurable.

Password expiration

While password expiration does not make sense in every environment, it does make sense in some. Therefore, OpenProject allows configuring a duration after which passwords expire. With this feature enabled, users are forced to change it on their next login and prevented from doing anything else within OpenProject when they don’t change their password for a certain amount of time.

Ban former passwords

Password expiration wouldn’t help much without preventing users from reusing their passwords. Thus, OpenProject allows configuring a number of previously used passwords each user is disallowed from using again.

Automated logout on inactivity

When users leave their computers unattended for a while or log in from a public computer, they often forget logging out. This might allow other people accessing an OpenProject instance in the name of the logged in user. To mitigate this risk, OpenProject allows activating automated session expiry after a specified time. After this time, the user is automatically logged out and can’t access OpenProject anymore before logging in again.

These two improvements are more technical changes and mostly not user-visible:

Improved random password generator

The new password generator generates longer and more complex passwords. It also uses Ruby’s SecureRandom module creating cryptographically secure random values.

Constant-time password hash comparison

Timing attacks allow guessing secret values character-by-character. While this kind of attack is relatively hard to implement, especially when passwords are compared in a ‘hashed’ form, they are not impossible to do. Comparing values in a way that takes the same time regardless of the characters matching in both values prevents these kinds of attacks.

Screenshot

Here’s a screenshot of the account security configuration in OpenProject 3.0:

We continue to improve security for OpenProject users and are confident that these improvements are a major step for users who want to use OpenProject in security sensitive areas.