Provide mechanisms to enforce password policies

elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine

https://www.elastic.co/products/elasticsearch

Other

1.19k stars 24.85k forks source link

Provide mechanisms to enforce password policies #76431

Open eddieturizo opened 3 years ago

eddieturizo commented 3 years ago

U.S. Department of Defense requirements state that there must be software mechanisms that allow for enforcing password complexity requirements.

16 character minimum
upper-case letters; lower-case letters; numbers and special characters (must include one of each)
at least 4 characters must be changed when new passwords are created
password must be changed every 180 days
re-use of the last 10 passwords is prohibited
provide an account locked mechanism

elasticmachine commented 3 years ago

Pinging @elastic/es-security (Team:Security)

tvernum commented 3 years ago

Our view on this to date has been if you need those sort of policies then you should use an external identity management system (LDAP, SAML, etc) instead.

Which is not to say that we will never introduce password policies, but it is not our goal to make it possible to solve every password or identity management problem inside the stack.