Enhanced Password Policy Configurations for Board 14 On-Premise Installations

Sergi Fernández

With the release of the latest version of Board (14.1.0.0.208107), I noticed the new feature allowing users to change their own passwords on On-Premise installations. While this is a positive step toward enhancing user autonomy, it also introduces potential security concerns.

Problem:
In previous versions, password management was entirely controlled by the organization, enabling the enforcement of strong password policies and ensuring passwords met specific complexity and length requirements. However, with this new feature, users can now set up simple and insecure passwords.

There is some level of customization available in the "server_config_v2.xml" file, such as the ability to set minimum length requirements and password expiration days. However, the available settings are insufficient for today’s security standards, and several useful features and flexibility already present in the Cloud version are missing in the On-Premise installations.

Proposed Solution:
Introduction of configurable password policies within the Board web platform, as available in the Board Cloud Portal. I suggest adding options to customize the following:

• Minimum password length
• Password complexity requirements (e.g., inclusion of upper/lowercase letters, numbers, special characters, unique characters)
• Password expiration period
• Password history (to prevent the reuse of previous passwords)
• Lockout policies (e.g., enable/disable account lockout, set maximum failed attempts, and lockout duration)

Additionally, I recommend adding a toggle switch that allows administrators to enable or disable the ability for users to change their own passwords, to further customize the experience. This would give organizations more control over password management based on their internal security policies.