Sorry, we don't support your browser.  Install a modern browser

Password Policy

Subscribe to updates

It would be nice to have a built in way to enforce a password policy.
Discussions about the use of password policies aside it would certainly help with acceptance in bigger organisations that have the requirement.

For the moment we work with a small plugin (https://github.com/visionbites/kirby-password-policy). That works. But a core way of doing that would certainly be nice.

a year ago
1

Rough idea for a config structure:

return [
    'auth' => [
        'passwords' => [
            'minlength' => 12,  
            'upperlower' => true,
            'digits' => true,
            'symbols' => true, 
        ]
    ]
];

and/or a regex like in your plugin (however with the disadvantage that the error message can always only be binary and not specific to a particular requirement):

return [
    'auth' => [
        'passwords' => '/^(?=.*[0-9])(?=.*[!@#$%^&*])[A-Za-z\d!@#$%^&*]{16,}$/'
    ]
];
a year ago
1

I think that makes it a lot easier to implement a basic version of this in any project.

With the regex option if would definitly make sense to be able to create a custom error message and also requirements text that can be displayed next to the password field. 

return [
    'auth' => [
        'passwords' => '/^(?=.*[0-9])(?=.*[!@#$%^&*])[A-Za-z\d!@#$%^&*]{16,}$/',
        'hint' => 'Your password needs to be at least X characters long and contain the word "lizard"',
        'error' => 'I bet you did not put "lizard" in there'
    ]
];
a year ago

I think to support both use cases, it would need a bit different syntax:

For a default set of rules

return [
    'auth' => [
        'passwords' => [
            'rules' => [
                'minlength' => 12,
                'digits'    => true,
            ]
        ]
    ]
];

For a custom regex incl. hint

return [
    'auth' => [
        'passwords' => [
            'rules' => '/^(?=.*[0-9])(?=.*[!@#$%^&*])[A-Za-z\d!@#$%^&*]{16,}$/',
            'hint'  => 'Your password needs to be at least X characters long and contain the word "lizard"',
        ]
    ]
];

For a custom regex and custom error message

return [
    'auth' => [
        'passwords' => [
            'rules' => function ($input): true {
                // validate and throw exception for error
            }
        ]
    ]
];
a year ago

It would be great if Kirby also offered a way to force a password reset for all users.

4 days ago

@Nils Hörrmann As you commented this on the password policy idea, do you imagine it as additional auth.passwords option that e.g. defines a date and/or duration (“90 days”) untill when a password expires and has to be reset (then with the enforcement of the other policies for the new password)?

3 days ago

Well, initially, I wrote a separate post when this was suggested by Nolt and I didn’t want to scatter the discussion :) I like the idea of a password lifecircle in the settings, especially with the security fixes in mind that were related to permission bypassing. Up-to-date passwords are important in this context. But my comment aimed more for extended administration tools in general.

3 days ago

@Nils Hörrmann A date-based password expiry could definitely be useful depending on the context. It’s not always a good idea, e.g. BSI (German information security authority) no longer recommends it for most passwords because of the risk of password fatigue (people writing passwords down because they can no longer remember their passwords after having to change them and not using password managers). But it could certainly be an option.

The administration tools I would see separately from this though. As these would not be config but actions an admin can perform in the Panel for specific or all users. Feel free to open a separate Nolt ticket for that. :)

3 days ago
Make a suggestion