SvanteRichter
commented
6 years ago I usually like the current NIST guidelines for these sort of things;
Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber.
from https://pages.nist.gov/800-63-3/sp800-63b.html#reqauthtype
But, adding a option to configure the minlength seems fine by me as long as it defaults to 6 or 8
Hi,
The form LoginPasswordType has a constraint on the password length. This kind of constraint is useful for password creation / update but not much for the login form.
My issue here is that I'm extending BoltAuth by adding a custom AuthorisationHandler to allow my users to login through a webservice. Some of these existing users have passwords with less than 6 characters.
I could override the form itself but I reckon this constraint could simply be removed because it also gives a potential attacker a clue on the passwords hashed in the database.
Alternatively, making the length configurable could be a solution.