Force strong passwords - Githubissues

epageperron commented 6 years ago

Summary

https://imgs.xkcd.com/comics/password_strength.png

Roadmap Data

🗓 Start Date:

🗓 Expected Date:

💪 Label:

📈 Progress (0-1):

See Gantt: http://cdli-dev.org/gantt/Framework/

nomoon commented 6 years ago

Some good thoughts here: https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

TL;DR:

Minimum 8 character, maximum 64+.
Accept all ASCII/Unicode printable characters.
If possible, check against a known-bad dictionary of passwords.
No composition rules.
No hints.
No time-based password expiration policy.

As I understand it, Drupal 8 allows for most of this (maybe not the dictionary check) in its current implementation, with plans to switch to PHP 7.2 password_hash() and password_verify() function (and backport something compatible for older PHP versions) once it stabilizes (https://www.drupal.org/project/drupal/issues/1845004).

nomoon commented 6 years ago

Actually, it looks like the PHP API has stabilized and works in 5.5+: https://secure.php.net/manual/en/function.password-hash.php

Currently it uses BCrypt as the default (so maximum password/passphrase length of 72 characters), although the Argon2i option will eventually become the default (currently requires PHP 7.2 which includes libsodium)

epageperron commented 6 years ago

Since we are not going to use Drupal 8 as discussed this week, this needs to be implemented in CakePHP

epageperron commented 5 years ago

https://gitlab.com/cdli/framework/issues/107

cdli-gh / Framework

Force strong passwords #52