Password policy for accounts (login functionnality)

[mathsyx69]

🚀 Feature Request

It's should be possible to configure a password policy for accounts (login functionnality).

🔈 Motivation

Hi, I'm using the login functionality on my password pusher instance.

I noticed that there is no configurable password policy.

In the current version, the only requirement is a minimum length of 6 characters, which is not enough.

Access to a passwordpusher account must be secure, as it gives access to all the user's pushs.

I suggest adding a few configurable parameters to ensure user configure a strong password when create account / modify password / reset password.

For example :

PWP__PWDPOLICY__UPPER-CASE
PWP__PWDPOLICY__LOWER-CASE
PWP__PWDPOLICY__NUMBER
PWP__PWDPOLICY__SYMBOL
PWP__PWDPOLICY__MIN-LENGTH
PWP__PWDPOLICY__MAX-LENGTH

In addition, it might also be interesting to add a parameter to set the maximum password age :

PWP__PWDPOLICY__MAX-AGE (Days)

When the password expires, the user is forced to change it the next time he logs on.

🛰 Alternatives

It's not so much an alternative, but rather a remedy.
It would be good to specify in the documentation that the implementation of fail2ban can be a good solution to protect passwordpusher from brute force attacks. Or to implement protection against such attacks in password pusher.

Perhaps this mechanism is already in place?

In any case, thank you for all your hard work, and thanks in advance for all your help.

[riahc3]

If this is added, then this needs to be added too:

PWP__PWDPOLICY__WORDLISTFILE

It should be able to accept something like https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10k-most-common.txt , import it and check.

[pglombardo]

Thanks for the input/idea! Makes sense - I'll see what I can do hopefully soon.