Hi All, I was wondering what is the best way to implement password policy with Shiro. It might sound unrelated and even outside the scope of Shiro but [IMHO] I can't think of a security framework without a password policy feature. You can find the sample policy below. Currently we are using Shiro version 1.2.2 with JDBC MySQL backend and Enterprise Cache [memcached]. Thanks,
ED 1. Password to be at least 8 chars long 2. Contains at least 1 Capital letter, 1 lower case letter, 1 number or Special char 3. Password to be expired every 3 months 4. Account to be locked after 6 wrong attempts 5. Account to be unlocked after 15 minutes from the last wrong attempt or Admin can unlock or use the forgot password feature to update new password 6. Password has to be changed after password expired before they can login to see anything -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-implement-Password-Policy-tp7579842.html Sent from the Shiro User mailing list archive at Nabble.com.
