Page MenuHomePhabricator

Implement password complexity password policy check
Closed, DeclinedPublic

Description

There's many variations of this:

  • Must contain number
  • Must contain special character
  • Must contain upper/lowercase letter....

I guess there's scope for password with repeated characters. "Password must be 10 characters; oh look, aaaaaaaaaa works" too

https://en.wikipedia.org/wiki/Password_policy#Password_length_and_formation

Event Timeline

Reedy raised the priority of this task from to Low.
Reedy updated the task description. (Show Details)
Reedy added a subscriber: Reedy.
Reedy set Security to None.

this is against recent NIST research, and should be closed as "not implement":
https://pages.nist.gov/800-63-3/sp800-63b.html

ThurnerRupert updated the task description. (Show Details)

this is against recent NIST research, and should be closed as "not implement":
https://pages.nist.gov/800-63-3/sp800-63b.html

Just linking to a 74 page document isn't helpful

I'm guessing you specifically mean...

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.

yes, exactly, many thanks for the copy out, reedy! there is T32574 as well which partially covers what is mentioned in this ticket (aaaaaaa)