riahc3
commented
4 months ago If this is added, then this needs to be added too:
PWPPWDPOLICYWORDLISTFILE
It should be able to accept something like https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10k-most-common.txt , import it and check.
pglombardo
🚀 Feature Request
It's should be possible to configure a password policy for accounts (login functionnality).
🔈 Motivation
Hi, I'm using the login functionality on my password pusher instance.
I noticed that there is no configurable password policy.
In the current version, the only requirement is a minimum length of 6 characters, which is not enough.
Access to a passwordpusher account must be secure, as it gives access to all the user's pushs.
I suggest adding a few configurable parameters to ensure user configure a strong password when create account / modify password / reset password.
For example :
PWPPWDPOLICYUPPER-CASE PWPPWDPOLICYLOWER-CASE PWPPWDPOLICYNUMBER PWPPWDPOLICYSYMBOL PWPPWDPOLICYMIN-LENGTH PWPPWDPOLICYMAX-LENGTH
In addition, it might also be interesting to add a parameter to set the maximum password age :
PWPPWDPOLICYMAX-AGE (Days)
When the password expires, the user is forced to change it the next time he logs on.
🛰 Alternatives
It's not so much an alternative, but rather a remedy. It would be good to specify in the documentation that the implementation of fail2ban can be a good solution to protect passwordpusher from brute force attacks. Or to implement protection against such attacks in password pusher.
Perhaps this mechanism is already in place?
In any case, thank you for all your hard work, and thanks in advance for all your help.