Make length-validation configurable for admin password creation

[oehmiche]

Hello,

for customer accounts the minimal length of a password is configurable in the admin UI (see Stores > Configuration > Customers > Customer Configuration)

For admin users this validation is hardcoded in the javascript code (see vendor/magento/magento2-base/lib/web/mage/validation.js):

       'validate-admin-password': [
            function (v) {
 ...
                if (pass.length < 7) {
                    return false;
                }
...
            },
            $.mage.__('Please enter 7 or more characters, using both numeric and alphabetic.')
        ],

Nowadays 7 characters isn't desirable for the minimal length of a password (especially for an admin). So we needed to provide a fix (through m2-hotfixes) to increase this number. I would like to be able to specify the minimum number of characters in the admin ui (e.g. via Stores > Configuration > Advanced > Admin > Security).

[m2-assistant[bot]]

Hi @oehmiche. Thank you for your report. To help us process this issue please make sure that you provided sufficient information.

Please, add a comment to assign the issue: @magento I am working on this

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

[Morgy93]

Supporting a configurable minimum password length would be an ideal enhancement for flexibility and compliance. Currently, with the hardcoded length, users can’t adjust to meet specific security standards such as PCI DSS, which mandates a 12-character minimum for administrative passwords.

Allowing administrators to set this length manually would ensure that we can stay compliant with evolving standards and adapt more easily to security requirements. This change would be a valuable addition for users needing to meet strict compliance without needing workaround solutions.

Thank you for considering this request!