eCatalog supports internal user management, and it does not rely on Active Directory. In this section, we covers the password management.


Password Policy


One of authentication mode that is available in eCatalog is the internal eCatalog user management with password. This section will cover the internal Password Management. 
This Password management is not applicable if the user’s is under Active Directory (AD), or the mode is AD.


Following are features available in eCatalog:

  1. Administrator can enable to ensure the complexity of password. 
    Administrator can set following password complexity configuration:
    1. Minimum length of password. Recommended is 15.
    2. Rule, number of Upper Case (A-Z). Recommended is 1.
    3. Rule, number of Lower Case (a-z). Recommended is 1.
    4. Rule, number of Digits (0-9). Recommended is 1.
    5. Rule, number of Special Characters (!,$,#,%,etc). Recommended is 1.
    6. Total number of rules applied. Recommended is 4.
    7. Cannot use black-listed keywords
    8. Cannot use the same word with username
  2. Administrator can set following settings:
    1. Maximum age of password. Recommended is 365 (1 year). Once the password becomes “old”, user must change the password.
    2. Number of history (reusable password). Recommended is 5. 
    3. Minimum age of password. User cannot keep changing the password. Disabled by default.



Password Hashing


By default, the password is stored in database, and hashed using the BCrypt method, by default. BCrypt is a very strong hashing mechanism. This is hashing method, which means we can only encrypt, but no way to decrypt. The eCatalog also store different random salt for each user. Every time user changes the password, the salt will also be changed. The salt is unique for each user.


The Password hashing method can be configurable. For example; we can configure to use MD5, SHA-1, SHA-2, SHA-3, BLAKE2, Whirlpool, RIPEMD-160. 


Since system cannot decrypt the password, we need to initialize or decide the hashing method before start using the system. After changing the hashing method, any existing hashed password will render un-readable. In the events, administrator really must change the hashing method and and users have been using it, the administrator can set all users to reset the password.