search

HDInnovations / UNIT3D-Community-Edition

Private Torrent Tracker Built With Laravel, Livewire and AlpineJS.
GNU Affero General Public License v3.0
1.94k stars 370 forks source link

NIST Password Rules #443

Closed HDVinnie closed 5 years ago

HDVinnie commented 5 years ago

Issue Type

Add validation rules that follow the password related recommendations found in NIST Special Publication 800-63B section 5.

NIST Password Rules implements the following recommendations.

Recommendation Implementation
[...] at least 8 characters in length A standard validation rule in all rule sets to validate against this minimum length of 8 characters.
Passwords obtained from previous breach corpuses A rule that securely checks the password against previous 3rd party data breaches, using the Have I Been Pwned - Pwned Passwords API.
Dictionary words A rule that checks the password against a list of over 102k dictionary words.
Context-specific words, such as the name of the service, the username A rule that checks the password does not contain the provided username, and any words defined the configured app name or app URL.
Context-specific words, [...] and derivatives thereof A rule that checks the password is not too similar to the provided username, and any words defined the configured app name or app URL.

These rules will be checked against the following functions:

Register Login Change Password (No Auth Forgot Password, Authed Update Password, Staff Force Update Password Tool)

While UNIT3D does offer a hashing algorithm of Bcrypt or Argon2 for passwords this does not stop users from using stupid passwords!

HDVinnie commented 5 years ago

Closed in #841