Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-2740

Rules Governing Passwords - Password Policy

XMLWordPrintable

    • 29
    • 48
    • Hide
      Atlassian Update – 15 November 2018

      Hi,
      Thank you for providing input and feedback on this suggestion. The Jira Server team have recently reviewed this suggestion and how it would fit alongside our strategy and other customer priorities. I am afraid we are not planning to invest in more robust rules for password management in Jira.

      However, we wanted to let you know that Password Policies for Internal Directories are available in Crowd.

      For those of you who aren’t familiar with Crowd, it offers one place to manage your users, groups and directories and easily integrate your identity infrastructure across all self-hosted Atlassian products.

      Crowd allows admins to setup Password Regex - a regular expression pattern that a new password will be validated against.Admins are also able to setup custom messages that help  explain password complexity requirements to users. It is also possible to set-up:

      • maximum number of invalid passwords attempts before the authenticating account will be disabled
      • number of days until the password must be changed
      • number of previous passwords to check when disallowing repeated passwords on password change

      If the Password Policy in your organization requires any additional rules governing passwords beyond what is currently offered by Crowd, please create a relevant ticket in https://jira.atlassian.com/projects/CWD/.

      Best regards,
      Gosia Kowalska, Jira Server Product Manager

      Show
      Atlassian Update – 15 November 2018 Hi, Thank you for providing input and feedback on this suggestion. The Jira Server team have recently reviewed this suggestion and how it would fit alongside our strategy and other customer priorities. I am afraid we are not planning to invest in more robust rules for password management in Jira. However, we wanted to let you know that Password Policies for  Internal Directories  are available in Crowd. For those of you who aren’t familiar with  Crowd , it offers one place to manage your users, groups and directories and easily integrate your identity infrastructure across all self-hosted Atlassian products. Crowd allows admins to setup Password Regex - a regular expression pattern that a new password will be validated against.Admins are also able to setup custom messages that help  explain password complexity requirements to users. It is also possible to set-up: maximum number of invalid passwords attempts before the authenticating account will be disabled number of days until the password must be changed number of previous passwords to check when disallowing repeated passwords on password change If the Password Policy in your organization requires any additional rules governing passwords beyond what is currently offered by Crowd, please create a relevant ticket in  https://jira.atlassian.com/projects/CWD/ . Best regards, Gosia Kowalska, Jira Server Product Manager
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.


      Original description
      Many large corporations have specific rules governing passwords. It would be nice if JIRA Enterprise supported the ability to configure these rules. Specifically,

      • minimum & maximum number of days between passwords changes
      • minimum number of characters for a password
      • minimum composition of a password (e.g. at least 2 numbers or 1 special character)
      • number of attempts before locked out
      • lock out time period
      • password never expires

        1. changepassword_4.1.2.jsp
          4 kB
        2. changepassword.jsp
          2 kB
        3. changepassword-4.3.jsp
          4 kB
        4. renamed-4.3.jsp
          4 kB
        5. resetpassword_4.1.2.jsp
          3 kB
        6. resetpassword_5.1.4.jsp
          5 kB
        7. resetpassword-4.3.jsp
          4 kB
        8. strongpasswords-5.0.5.diff
          5 kB

          Form Name

            [JRASERVER-2740] Rules Governing Passwords - Password Policy

            Marlon Ulb added a comment -

            Dear Atlassian, is there any chance that you will review this proposal after 6 years?

            It's a shame... Atlassian's lack of will is driving me crazy the longer I have to work with Jira.

            Security is becoming a bigger and bigger issue, especially in these times. On-premise solutions are the only solution for many companies and will be for more and more. If the security issues with Jira date centre only increase, the only option is to switch to another product that takes into account the security concerns of the customer.

            mkowalska do you see any options?

            Marlon Ulb added a comment - Dear Atlassian, is there any chance that you will review this proposal after 6 years? It's a shame... Atlassian's lack of will is driving me crazy the longer I have to work with Jira. Security is becoming a bigger and bigger issue, especially in these times. On-premise solutions are the only solution for many companies and will be for more and more. If the security issues with Jira date centre only increase, the only option is to switch to another product that takes into account the security concerns of the customer. mkowalska do you see any options?

            Jeramy added a comment -

            It's now 2023 and this is still not available? Atlassian...this seems like a lawsuit waiting to happen. I should be able to force users to change their passwords in Data Center.

            Jeramy added a comment - It's now 2023 and this is still not available? Atlassian...this seems like a lawsuit waiting to happen. I should be able to force users to change their passwords in Data Center.

            Frank Schimmel added a comment - - edited

            I agree with all previous comments who request a password expiration or password renewal enforcement feature in 2020/2021.

            Very disappointing that Atlassian provides this for Jira Cloud, but not for Jira Data Center.

            Frank Schimmel added a comment - - edited I agree with all previous comments who request a password expiration or password renewal enforcement feature in 2020/2021. Very disappointing that Atlassian provides this for Jira Cloud , but not for Jira Data Center.

            Grant Johnson added a comment -

            Incredibly disappointing that a Password Policy in 2020 doesn't have an "expiry" feature.

            Very important!

            Grant Johnson added a comment - Incredibly disappointing that a Password Policy in 2020 doesn't have an "expiry" feature. Very important!

            Snorre Selmer added a comment - - edited

            $2000 just for expiring passwords? No thanks... Our organization hosts a semi-public Jira, not the biggest in the world, but big enough that importing non-organization users into our AD just so we can relegate password expiry is just plain not an option.

            If Jira can manage password complexity, it can also manage password expiry.

            Snorre Selmer added a comment - - edited $2000 just for expiring passwords? No thanks... Our organization hosts a semi-public Jira, not the biggest in the world, but big enough that importing non-organization users into our AD just so we can relegate password expiry is just plain not an option. If Jira can manage password complexity, it can also manage password expiry.

            Andrew Shakespeare added a comment -

            Roger - thank you for the advice. Absolutely, most of our users are internal and use their AD login for JIRA. However we have many external users/contractors that do not get onboarded for AD, so we a security issue there.

            Andrew Shakespeare added a comment - Roger - thank you for the advice. Absolutely, most of our users are internal and use their AD login for JIRA. However we have many external users/contractors that do not get onboarded for AD, so we a security issue there.

            Roger Oberg added a comment -

            I agree with you Andrew.

            However since we could switch to use our AD-integration (together with crowd), we now control all our password policies in the AD instead. It also gives us SSO with other applications which is great for our users. So maybe that could be an option for you as well...

             

            Roger Oberg added a comment - I agree with you Andrew. However since we could switch to use our AD-integration (together with crowd), we now control all our password policies in the AD instead. It also gives us SSO with other applications which is great for our users. So maybe that could be an option for you as well...  

            Andrew Shakespeare added a comment -

            It is insane that this functionality doesn't exist. What a security hole for anyone using JIRA. 

            REQUIRED:

            1. Password expiry.. how is this not an option in 2020?!
            2. Force password change.. what's the point of setting stricter password policies if you can't enforce it?!

            Andrew Shakespeare added a comment - It is insane that this functionality doesn't exist. What a security hole for anyone using JIRA.  REQUIRED: Password expiry.. how is this not an option in 2020?! Force password change.. what's the point of setting stricter password policies if you can't enforce it?!

            Manuel Bähnisch added a comment -

            +1

            Manuel Bähnisch added a comment - +1

            congo bongo added a comment -

            oh the irony of it all..

             

            you guys [atlassian] are unbelievable - how the hell do you expect me to spend thousands of dollars on crowd just because you are too lazy and INCOMPETENT to develop a proper designed bug and issue tracking system..

             

            FORGET IT - we are not buying crowd just to extent basic features in Jira - NOT gonna happen. Get it done right and get your fingers outta your butts.

            congo bongo added a comment - oh the irony of it all..   you guys [atlassian] are unbelievable - how the hell do you expect me to spend thousands of dollars on crowd just because you are too lazy and INCOMPETENT to develop a proper designed bug and issue tracking system..   FORGET IT - we are not buying crowd just to extent basic features in Jira - NOT gonna happen. Get it done right and get your fingers outta your butts.

              Unassigned Unassigned
              4f090ccf5319 Matthew E. Porter
              Votes:
              359 Vote for this issue
              Watchers:
              210 Start watching this issue

                Created:
                Updated: