[security] passwords : add more complexity

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.

https://packetfence.org

GNU General Public License v2.0

1.39k stars 292 forks source link

[security] passwords : add more complexity #3612

Open nqb opened 6 years ago

nqb commented 6 years ago

Current generated passwords by PF are lowercase and 12 characters long. I think they could simply break by brute-force attacks.

We need to add more complexity for passwords:

upper
digit
special chars

Some help on the subject: https://ltb-project.org/documentation/self-service-password/1.3/config_ppolicy

julsemaan commented 6 years ago

agree with upper and digits, we should be careful with special characters since some less techie users (like guests) may not be able to get it right, so we should keep it simple yet secure.

nqb commented 6 years ago

Agree, the best will be to have a configurable password policy.

nqb commented 5 years ago

First thing to have: mininum and maximum size of passwords generated by PF. Currently, they are hardcoded in lib/pf/password.pm

julsemaan commented 5 years ago

@nqb

Just as an FYI, the minimum and maximum in password.pm aren't enforced, they are defaults if no password length is defined