As a Super User, I want to force all users to use strong, secure passwords for their Matomo account

[mattab]

As a Super User, I want to force all users to use strong, secure passwords for their Matomo account.

This is important as it will help increase the security of the data stored in Matomo. By ensuring that all users have strong passwords, and that they are forced to set a strong password.

Potential solution:

• A new General setting, "Force all users to set a strong, secure password. " (<- confirm wording + inline help microcopy)
  • where to put the setting? Ideally we would merge "Login" and "TwoFactorAuth" sections (in "General settings" page) into one section "Login & Security" that would have all settings nicely in one section?

By default, we should use an existing/standard set of strong password checks. How much do we let super users customise the password policy details (number of min chars, etc. etc.)?

Here is what it looks like in discourse, which would be a great place to start:

Here is the text version:

min password length
Minimum password length.

min admin password length
Minimum password length for Admin.

password unique characters
Minimum number of unique characters that a password must have.

block common passwords
Don't allow passwords that are in the 10,000 most common passwords.

Other notes:

• if we implement the Don't allow passwords that are in the 10,000 most common passwords. this would be similar, but different, from https://plugins.matomo.org/PasswordVerifier#description which sends some hash of password to an API (which we wouldn't want to do)

• there is also a plugin for password policy but we wouldn't do it exactly like in that plugin (would rather do it like Discourse does (see above)) https://plugins.matomo.org/PasswordPolicyEnforcer#preview

Out of scope:

• Force people to change their password every X weeks is not included in this scope

This feature will be combined with other changes:

• the existing ability to enforce 2FA across a Matomo instance - it is already supported that "A user with super user access can force every user to have two-factor authentication enabled."
• communicate the password complexity in the UI so users proactively know the password security, see https://github.com/matomo-org/matomo/issues/13070 (where we will also remove the "repeat password" field)

[MatomoForumNotifications]

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/weak-passwort-policy-password-enforcement-passwordpolicyenforcer-on-matomo-5/55716/6

[heurteph-ei]

Note: https://plugins.matomo.org/PasswordPolicyEnforcer?matomoversion=4 is no more maintained for more than 3 years... (last commit on October 2020, the 12th)

[jmumby]

Implementing password rules is a crucial feature for the platform. Allowing weak passwords like "123456" or "password" poses significant security risks. Enforcing stronger password criteria will greatly enhance the overall security and protect user data.

[tsteur]

There is also https://plugins.matomo.org/PasswordVerifier developed by @Findus23 which we could think about integrating.

We could then also force a password reset should detect a known password. Refs https://make.wordpress.org/plugins/2024/06/29/password-reset-required-for-plugin-authors/

[atom-box]

This was requested by another user today.

[mathieuroquefort]

We've used PasswordPolicyEnforcer for some years, but were forced to disable it because of uncompatibility with php 8. It really seems required to include it into Matomo core.

[ronak-innocraft]

Thanks all for your feedback and input to this while it was sitting under consideration. We have decided to introduce this into core. Will post updates as we start to unpack this and plan it for delivery.

[atom-box]

This was requested by a user today:

Does static password have defined complexity requirements?