Overview

By default, ProcessMaker passwords never expire and they only need to contain a minimum of 5 characters which can be all lowercase letters. Many organizations, however, store very sensitive data in ProcessMaker and need to ensure that their passwords are not easily cracked.

In order to ensure password security, define constants in the file /shared/sites/<WORKSPACE>/db.php, which will change the types of allowed passwords and their expiration date.

The db.php file for the default "workflow" workspace is generally found:

In Linux/UNIX at:

<INSTALL-DIRECTORY>/processmaker/shared/sites/workflow/db.php

In Windows at:

<INSTALL-DIRECTORY>\processmaker\shared\sites\workflow\db.php

Edit the db.php file using a plain text editor.

Parameters:

By default the minimum password length is 5 characters. To set the minimum password length to 8 characters, add the line:

define('PPP_MINIMUM_LENGTH', 8);

By default the maximum password length is 32 characters:

define('PPP_MAXIMUM_LENGTH', 32);

To require passwords to contain at least one numerical character, add the line:

define('PPP_NUMERICAL_CHARACTER_REQUIRED', 1);

To require passwords to contain at least one uppercase character, add the line:

define('PPP_UPPERCASE_CHARACTER_REQUIRED', 1);

To require that passwords contain at least one symbol character (such as @#$%*), add the line:

define('PPP_SPECIAL_CHARACTER_REQUIRED', 1);

To force users to change their passwords periodically, set the numbers of days until the password will expire. For instance to require that users change their passwords every 90 days, then add the line:

define('PPP_EXPIRATION_IN', 90);

To set the maximum password attempts to 3, add the line:

define('PPP_FAILED_LOGINS', 3);

The constants defined will take effect:

  • After changing the password encryption type.
  • When a user is created or edited.
  • When the user is forced to change his/her password at next login with the "User must change password at next logon" option.

Login after Customizing Authentication

The next time users login after an one of the above authentication parameters has been changed, ProcessMaker will check if their passwords conform to the new configuration. If the current password does not conform, then after login, the Change Password dialog will appear asking for the user to enter a new password.

For example, if the following parameters have been added to the db.php file:

define('PPP_MINIMUM_LENGTH', 8); define('PPP_MAXIMUM_LENGTH', 32); define('PPP_NUMERICAL_CHARACTER_REQUIRED', 1);

The Change Password dialog will ask for a password with those requirements.

Enter a new password and then retype it a second time, then click on Save. At the next login, use the new password.

Adding Custom Code

If you would like to add custom PHP code to check passwords, edit the file <INSTALL-DIRECTORY>/workflow/engine/classes/model/UsersProperties.php

In Linux/UNIX, it can generally be found at:

/opt/processmaker/workflow/engine/classes/model/UsersProperties.php

In Windows, it can generally be found at:

<INSTALL-DIRECTORY>\processmaker\workflow\engine\classes\model\UsersProperties.php

This file, however, may be over-written every time a new upgrade patch or version is applied to ProcessMaker, so be sure to make a backup copy of your custom code and reapply it after an upgrade.