Password requirements

[magdalenadrafiova]

We have received an email saying that the passwords should have some requirements. One client shared with us their current requirement at their organisation:

At least 14 characters At least 3 of the complexity requirements below:

• Uppercase letter
• Lowercase
• Number
• Punctuation mark

@briri @raycarrick I am not sure whether broadly speaking this is something we are planning to implement, or start having some password requirements?

[raycarrick-ed]

It is something we have discussed. I would suspect that if we implement it at an instance level then whatever we implement will not be acceptable to someone. So I would expect that we will have to implement a system whereby the org admin can set their own constraints. But that will require some careful designing. e.g. how to handle the situation where an org admin creates a set of rules for passwords but some existing password no longer conform to them.

[briri]

Agree with @raycarrick-ed

The config/initializers/devise.rb allows us to define a min/max password length (current is 8 to 128 characters).

The Devise gem we use to manage authentication is pretty robust and configurable. Here's an interesting read: https://stackify.com/how-to-do-authentication-right-with-rails-devise/

Here is an add-on gem that could be used to define the complexity: https://github.com/devise-security/devise-security The config (regex or whatever this gem requires) could be stored in a DB table if you want admins to be able to configure it.

There might be a way to tie into that gem's logic that forces people to reset/renew their password

[dsisu]

OK. Whether we plan to implement password requirements in the long run is one question and the link to the article @briri sent is really interesting, particularly the bit about convoluted passwords requirements and what effect they have on the user.

However, the question we need to answer for the user now is whether our current rules prevent us from including any of the above characters:

• it sounds as if we can include passwords containing 14 characters (@briri above says the current length is 8-128 characters).
• I'm sure uppercase and lowercase letters are fine, I have them.
• I'm sure we can include numbers because I have a number in my password. Can we include more than one number? I presume yes.
• How about special characters such as & or punctuation marks?

I could find the answer in a rudimentary way, by changing passwords for one of my profiles but I'd rather give a professional and confident answer from my developers :) Discussion on imposing password requirements will need further discussion. For now, please tell me what the status quo is. Thank you!

[raycarrick-ed]

We can have passwords at the moment with those characters in but I think what the user is asking for is for us to enforce that every password should have

"At least 14 characters At least 3 of the complexity requirements below:...."

and we can't do that at the moment.

So the answer for the user is "Not at the moment but it is something we are looking into"

[dsisu]

On 2 August 2021 Petra van Overveld wrote:

'Dear Diana,

I fully understand that you can't impose these new requirements to new users and that is also not needed/requested from our side. For us, it is good to know that the system can accommodate the LUMC password requirements. Thank you for sorting this out for us!

Best wishes, Petra'

Note for UoE team: see Salesforce case no 00023722.

So, as far as Leiden University is concerned, the enquiry was about whether we can accommodate rather than enforce their password. Ray suggested we keep the issue open because the query of enforcement will pop up at some point and we need to get ready.