Actually, OFBiz already supports this stuff and has been through many different PCI audits.
As a starting point, for configuration options see the security.properties file. -David On Jul 3, 2012, at 5:16 AM, Gaurav23 A wrote: > Hi All, > > As a part of PCI DSS version 2.0 compliance there are some features > available OOTB in Ofbiz These features will help organizations using Ofbiz > to get PCI Compliance of the application. However there are many more > features that are required to be built within Ofbiz. One of such > comprehensive feature is "Password Management". Some of the broad > requirements from PCI DSS perspective for this specific feature are: > > - Verify user identity before performing password resets. > - Set passwords for first-time use and resets to a unique value for each > user and change immediately after the first use. > - Change user passwords at least every 90 days. > - Require a minimum password length of at least seven characters. > - Use passwords containing both numeric and alphabetic characters. > - Do not allow an individual to submit a new password that is the same as > any of the last four passwords he or she has used. > - Set the lockout duration to a minimum of 30 minutes or until > administrator enables the user ID. > > Password Management is not available OOTB in Ofbiz. The Plan is to build > this feature and get this implemented in Ofbiz. I was looking at the > various Password Management features available in Apache products. Few > are: > > 1) > http://archiva.apache.org/docs/1.1.3/adminguide/customising-security.html > 2) https://cwiki.apache.org/SYNCOPE/policies.html > > Would like to hear from all of you on what will be the best approach in > building this feature called "Password Management" in Ofbiz > > -- Gaurav > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > >
