Open theniwo opened 1 year ago
I would love to see the adoption of the NIST's new password guidelines as a starting point:
The length thing is what will trip up most people. It should be at least 8 but that's it. Enforcing long password "just because" has shown to have the opposite effect. It makes people create gibberish password that aren't actually secure just to get to the limit. Also making them include different characters like A-Z, a-z, 0-9 isn't safe. It just leads to insecure passwords.
The only one I would see us not using is the last part about comparing them with online breech databases. For a self-hosted app that likely won't happen as those services tend to cost money.
It adds some complexity, but a solid compromise between forcing healthy password policies and good security is customizable password policies. A password policy page under settings that allows the admins/root to change the policy would be ideal. That way, users that are hosting but not proxying/forwarding/sharing need not worry.
Additionally, if we copy nextcloud's homework and use their "password database" validator it could be a meaningful addition. The HIBP pwnedpasswords API they are using is free.
https://haveibeenpwned.com/Passwords
It's actually pretty awesome, and if you dev tools the request, it's very simple.
any progressions?
Could this be handled by using OIDC for SSO (or other authentication methods if added) instead of requiring ABS to enforce password policies? https://github.com/advplyr/audiobookshelf/issues/998
@nichwall
Could this be handled by using OIDC for SSO (or other authentication methods if added) instead of requiring ABS to enforce password policies? #998
Yes every Identity Provider should be able to configure that properly, some even have very advanced features as mentioned above (like comparing with haveibeenpwned etc.). I think complexity wise it only makes sense that ABS has simple rules (like min. amount of characters), and for more advanced use cases people should configure OIDC and disable local auth.
We need administrative settings to control the strenth of a password.
Currently users can set their password to anything unsafe.
These requirements should be enableable