Please rate how useful you found this document: 
No votes yet

Overview

By default, ProcessMaker passwords never expire and they only need to contain a minimum of 5 characters which can be all lowercase letters. Many organizations, however, store very sensitive data in ProcessMaker and need to ensure that their passwords are not easily cracked.

In order to ensure password security, define constants in the file /shared/sites/<WORKSPACE>/db.php, which will change the types of allowed passwords and their expiration date.

The db.php file for the default "workflow" workspace is generally found:

In Linux/UNIX at:

<INSTALL-DIRECTORY>/processmaker/shared/sites/workflow/db.php

In Windows at:

<INSTALL-DIRECTORY>\processmaker\shared\sites\workflow\db.php

Edit the db.php file using a plain text editor.

Parameters:

By default the minimum password length is 5 characters. To set the minimum password length to 8 characters, add the line:

define('PPP_MINIMUM_LENGTH', 8);

By default the maximum password length is 20 characters. To set the maximum password length to 32, add the line:

define('PPP_MAXIMUM_LENGTH', 32);

To require passwords to contain at least one numerical character, add the line:

define('PPP_NUMERICAL_CHARACTER_REQUIRED', 1);

To require passwords to contain at least one uppercase character, add the line:

define('PPP_UPPERCASE_CHARACTER_REQUIRED', 1);

To require that passwords contain at least one symbol character (such as @#$%*), add the line:

define('PPP_SPECIAL_CHARACTER_REQUIRED', 1);

By default, passwords never expire. To force users to change their passwords periodically, set the numbers of days until the password will expire. For instance to require that users change their passwords every 90 days, then add the line:

define('PPP_EXPIRATION_IN', 90);
Note: There is an option to force an individual user to change her password during the next login. Login as a user such as the "admin" who has the PM_USERS permission in her role. Then, go to Admin > Users > Users and select the user in the list and click on Edit. In the user's profile, mark the option User must change password at next Login and then click on Save.

To set the maximum password attempts to 3, add the line:

define('PPP_FAILED_LOGINS', 3);

The constants defined will take effect:

  • After changing the password encryption type.
  • When a user is created or edited.
  • When the user is forced to change his/her password at next login with the "User must change password at next logon" option.

Login after Customizing Authentication

The next time users login after an one of the above authentication parameters has been changed, ProcessMaker will check if their passwords conform to the new configuration. If the current password does not conform, then after login, the Change Password dialog will appear asking for the user to enter a new password.

For example, if the following parameters have been added to the db.php file:

define('PPP_MINIMUM_LENGTH', 8); define('PPP_MAXIMUM_LENGTH', 32); define('PPP_NUMERICAL_CHARACTER_REQUIRED', 1);

The Change Password dialog will ask for a password with those requirements.

Enter a new password and then retype it a second time, then click on Save. At the next login, use the new password.

Adding Custom Code

If you would like to add custom PHP code to check passwords, edit the file <INSTALL-DIRECTORY>/workflow/engine/classes/model/UsersProperties.php

In Linux/UNIX, it can generally be found at:

/opt/processmaker/workflow/engine/classes/model/UsersProperties.php

In Windows, it can generally be found at:

<INSTALL-DIRECTORY>\processmaker\workflow\engine\classes\model\UsersProperties.php

This file, however, may be over-written every time a new upgrade patch or version is applied to ProcessMaker, so be sure to make a backup copy of your custom code and reapply it after an upgrade.