Page MenuHomePhabricator

Implement password complexity password policy check
Closed, DeclinedPublic

Description

There's many variations of this:

  • Must contain number
  • Must contain special character
  • Must contain upper/lowercase letter....

I guess there's scope for password with repeated characters. "Password must be 10 characters; oh look, aaaaaaaaaa works" too

https://en.wikipedia.org/wiki/Password_policy#Password_length_and_formation

Event Timeline

Reedy created this task.Dec 11 2015, 12:34 AM
Reedy raised the priority of this task from to Low.
Reedy updated the task description. (Show Details)
Reedy added a subscriber: Reedy.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 11 2015, 12:34 AM
Reedy updated the task description. (Show Details)Dec 11 2015, 12:40 AM
Reedy set Security to None.

this is against recent NIST research, and should be closed as "not implement":
https://pages.nist.gov/800-63-3/sp800-63b.html

ThurnerRupert closed this task as Declined.Jul 21 2018, 1:33 PM
ThurnerRupert updated the task description. (Show Details)
Reedy added a comment.Jul 21 2018, 1:36 PM

this is against recent NIST research, and should be closed as "not implement":
https://pages.nist.gov/800-63-3/sp800-63b.html

Just linking to a 74 page document isn't helpful

I'm guessing you specifically mean...

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.

ThurnerRupert added a comment.EditedJul 21 2018, 2:11 PM

yes, exactly, many thanks for the copy out, reedy! there is T32574 as well which partially covers what is mentioned in this ticket (aaaaaaa)

sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 7:10 PM