search

BookStackApp / BookStack

A platform to create documentation/wiki content built with PHP & Laravel
https://www.bookstackapp.com/
MIT License
14.73k stars 1.86k forks source link

Configurable Password Policy #1856

Open Cave-Johnson opened 4 years ago

Cave-Johnson commented 4 years ago

Describe the feature you'd like I would like the ability for an administrator to be able to configure a minimum requirement for a password policy.

Describe the benefits this feature would bring to BookStack users This would allow for admins to increase the minimum password complexity for users accounts increasing the overall security of the bookstack instance. Currently it is possible for a user to set a password of "aaaaaa"

Additional context With the nature of a wiki, some sensitive information can be stored within bookstack. It would be good to minimise the chance sensitive information is accidentally exposed by a weak password.

A simple implementation of this would be to have the following check boxes in the admin settings page

Check boxes to enable the following [-] Require Digits [-] Require Uppercase and Lowercase Characters [-] Require special characters [-] Disable repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)

An added bonus would be the option to integrate haveibeenpwned API to disallow the use of known compromised passwords (or as i realise the v3 api requires a paid for API key, provide the location of a local copy of the data file they provide for free) https://haveibeenpwned.com/API/v3

This is obviously a hotly debated topic, however a summary of the new NIST guidelines can be found here which sum it up https://spycloud.com/new-nist-guidelines/

This would also go quite nicely with https://github.com/BookStackApp/BookStack/issues/1118

makrele568 commented 2 years ago

+1 Is there a way to change the password length from 8 to 6 characters?

HungryHowies commented 1 year ago

+1

melat0nin commented 6 months ago

I think this is absolutely necessary, especially for instances used by non-technical folk who might not understand the importance of strong passwords, and might not understand/be willing to use MFA.

Personally I don't think a GUI is necessary, since those setting the policy are likely the same people setting up BookStack and therefore will likely be familiar with modifying the .env file.

Since these requirements are built into Laravel it seems like a no-brainer to implement them in BookStack.