Closed epageperron closed 5 years ago
Some good thoughts here: https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
TL;DR:
As I understand it, Drupal 8 allows for most of this (maybe not the dictionary check) in its current implementation, with plans to switch to PHP 7.2 password_hash()
and password_verify()
function (and backport something compatible for older PHP versions) once it stabilizes (https://www.drupal.org/project/drupal/issues/1845004).
Actually, it looks like the PHP API has stabilized and works in 5.5+: https://secure.php.net/manual/en/function.password-hash.php
Currently it uses BCrypt as the default (so maximum password/passphrase length of 72 characters), although the Argon2i option will eventually become the default (currently requires PHP 7.2 which includes libsodium)
Since we are not going to use Drupal 8 as discussed this week, this needs to be implemented in CakePHP
Summary
https://imgs.xkcd.com/comics/password_strength.png
Other links or relevant information
Roadmap Data
🗓 Start Date:
🗓 Expected Date:
💪 Label:
📈 Progress (0-1):
See Gantt: http://cdli-dev.org/gantt/Framework/