matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.84k stars 2.64k forks source link

Encourage strong passwords by indicating when passwords are weak (and when password don't match) #13070

Open ankush981 opened 6 years ago

ankush981 commented 6 years ago

I think it'd be helpful for the admin to have the following dynamic (JS-driven) indicators, just like WordPress:

sgiehl commented 6 years ago

That could also be added in admin when changing the own password or creating new users

mattab commented 6 years ago

Thanks for the suggestion, it would be great & valuable to encourage users to create strong passwords.

Maybe we could create+link to a FAQ on Matomo.org explaining that it's important to use password managers, and store the encrypted database on a backed up drive.

Regarding the indicator when password don't match... maybe we could even remove the need to type the password twice, and only have the password field once? As long as people have a valid email address in their profile they can easily reset the password if there was a typo.

See also https://github.com/matomo-org/matomo/issues/19961

tsteur commented 6 years ago

You could also include a most popular password list and throw an error if the entered password appears in there

Findus23 commented 6 years ago

I'm moving this to 3.7 as it has a huge security benefit. (move it back, if you have planned it for a later release) I also like @tsteur's idea of rejecting (or at least warning about) common password. Maybe this could even be combined with the new have-i-been-pawned api: https://haveibeenpwned.com/API/v2#PwnedPasswords

tsteur commented 5 years ago

Moving it back to the backlog as it currently doesn't have a priority.

Findus23 commented 4 years ago

I disagree with my old post above. I don't think (anymore) that a password strength indicator has a huge security benefit. For stopping terrible passwords the plugins in https://github.com/matomo-org/matomo/issues/13666 are enough.

And any indicator is either incorrect or too simplified or ends up replicating Dropbox's zxcvbn which is too huge for frontend. And one can already easily write a plugin that validates submitted plugins with it.

tsteur commented 4 months ago

Is this maybe a duplicate of https://github.com/matomo-org/matomo/issues/13070 ?

michalkleiner commented 4 months ago

This is 13070 @tsteur, perhaps meant to link a different issue?

tsteur commented 4 months ago

@michalkleiner sorry I meant https://github.com/matomo-org/matomo/issues/19961