rjesson-softwire
commented
2 months ago QA instructions: Passwords on the website should not be accepted unless they are over 8 characters and contain at least one uppercase, lowercase, numeric, and special character. Check that these restrictions are applied in all places:
- invite a new user, and they set their first password. check also that you can log in with this new account
- press forgot password, and follow the link that is emailed to you to reset your password
- visit /update-password, and change your password
- check you can log in with your new password after both of these
- log in as an admin, and reset the password of an account, and log in with it
make sure all ways of submitting the various forms only accept passwords of the above form, e.g pressing the button, pressing enter, etc
SoftJoelWire
dan-langridge
Is your feature request related to a problem? If so, please describe.
When I reset my password as a new user, the only validation is min 6 chars - but there should be a little more checking given it's a publicly-facing system with sensitive personal information
Describe the solution / feature you'd like
Some basic complexity rules in place for new or reset passwords. Prevent user assigning 'password' or '123123' etc.
Additional context
I don't personally believe that forcing users to design complex passwords necessarily makes things more secure, but zero checks just isn't consistent with the GDPR security principle in the longer term, given any user can in effect download a full client list via Parcels page