New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add setting for minimal password length [CORE5156] #5439
Comments
Modified by: @pavel-zotovpriority: Major [ 3 ] => Minor [ 4 ] |
Modified by: @pavel-zotovAttachment: userman.py.7z [ 12923 ] |
Modified by: @AlexPeshkoffassignee: Alexander Peshkov [ alexpeshkoff ] |
Commented by: @aafemt As we have a plugin-based security now, this option should be in plugin's config, IMHO. |
Commented by: @AlexPeshkoff Or it may be enforced for all plugins. |
Commented by: @sim1984 This improvement should affect not only the length of the password. It is necessary to define some security policies that other properties such as password complexity, password expiration, etc. |
Modified by: @AlexPeshkoffFix Version: 4.1 Initial [ 10961 ] |
Commented by: @mrotteveel I'm not sure if adding rules for password complexity makes sense. The general consensus in the security community is that complexity rules make passwords actually less complex and less secure, not more, because it reduces the keyspace and cause users to create more predictable passwords. The same goes for password expiration rules, they cause users to select easier to guess passwords based on their previous password. And although setting a minimum password length is a good idea, abusing such a feature to force users to create a very long password also leads to less secure passwords (e.g. because the password is actually a shorter password repeated twice, or uses a predictable pattern). |
Submitted by: @pavel-zotov
Attachments:
userman.py.7z
Votes: 1
Currently one may to change password of existing user to empty string ( '' ) - example can be seen in attached python script.
It will be useful to have configurable setting that will prevent such changes and also will require minimal number of different characters in password (in order to exclude trivial cases like: 'aaaaa', 'qwe' etc).
The text was updated successfully, but these errors were encountered: