tangobravo62
commented
3 years ago A password command was added to the CLI, and passwords now need to conform to the following rules:
- Minimum password length 10 characters
- At least three of the four character groups uppercase letters, lowercase letters, digits and special characters need to be present
- Must be different from current password (no password history so far)
Note that the backend service of the User Manager cannot detect, whether a password was actually changed, because due to the BCrypt algorithm used the same password may yield different salted hashes with each encryption run. It is in the responsibility of the calling component (CLI, GUI) to make sure that the password was indeed altered (and that it conforms to any applicable password policy).
Currently only a user with privilege ROLE_USERMGR can change passwords. This shall extend to all users, and passwords entered shall be validated against password rules.