amanda11
commented
3 years ago Does this only enforce password rule on stdin, not via the password parameter? It would seem wrong to only enforce policy interactively and not on command line.
Also in st2-bootstrap the default if they don't specify is still Ch@ngeMe, which wouldn't match the policy - if the policy requires a number.
Has the password policy been agreed? In particular, the fact that the chosen policy breaks the default password that is used throughout many repos (including this repo in st2_bootstraph.sh).
Therefore if this password policy is agreed, then I think before it can be implemented, all other places in the different repos that use the current default password will need updating first - to prevent breakages. e.g its used in at least st2ci/st2cd/st2/st2vagrant/st2-docker/packer-st2 - and many more. Alternatively a password policy that required special character or digit rather than both, would prevent the requirement to change all the other repos.
CLAassistant
We have fixed this OWASP issue - The application accepts very weak passwords like 'test'. Strong password policy has been implemented - min8 char password consist of letter, special char, number etc