pglombardo / PasswordPusher

🔐 Securely share sensitive information with automatic expiration & deletion after a set number of views or duration. Track who, what and when with full audit logs.
https://docs.pwpush.com
Apache License 2.0
2.11k stars 358 forks source link

Password policy for accounts (login functionnality) #2174

Open mathsyx69 opened 6 months ago

mathsyx69 commented 6 months ago

🚀 Feature Request

It's should be possible to configure a password policy for accounts (login functionnality).

🔈 Motivation

Hi, I'm using the login functionality on my password pusher instance.

I noticed that there is no configurable password policy.

In the current version, the only requirement is a minimum length of 6 characters, which is not enough.

Access to a passwordpusher account must be secure, as it gives access to all the user's pushs.

I suggest adding a few configurable parameters to ensure user configure a strong password when create account / modify password / reset password.

For example :

PWPPWDPOLICYUPPER-CASE PWPPWDPOLICYLOWER-CASE PWPPWDPOLICYNUMBER PWPPWDPOLICYSYMBOL PWPPWDPOLICYMIN-LENGTH PWPPWDPOLICYMAX-LENGTH

In addition, it might also be interesting to add a parameter to set the maximum password age :

PWPPWDPOLICYMAX-AGE (Days)

When the password expires, the user is forced to change it the next time he logs on.

🛰 Alternatives

It's not so much an alternative, but rather a remedy. It would be good to specify in the documentation that the implementation of fail2ban can be a good solution to protect passwordpusher from brute force attacks. Or to implement protection against such attacks in password pusher.

Perhaps this mechanism is already in place?

In any case, thank you for all your hard work, and thanks in advance for all your help.

riahc3 commented 6 months ago

If this is added, then this needs to be added too:

PWPPWDPOLICYWORDLISTFILE

It should be able to accept something like https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10k-most-common.txt , import it and check.

pglombardo commented 6 months ago

Thanks for the input/idea! Makes sense - I'll see what I can do hopefully soon.