FusionAuth
Add limitation to not allow a users username or email address to be their password
Add limitation to not allow a users username or email address to be their password
Problem
Per current NIST password recommendations, context specific password should be disallowed. This should include the context of the user themselves. The biggest breach of this would be using the same string for both a username & password.
Solution
I would like a password verification option to ensure the users password is not the same as their username/email address/name as it is currently saved in fusionauth.
Alternatives/workarounds
We have attempted to add a frontend filter to restrict the password from being the same as the username/email; however, the frontend password reset page does not and cannot know the users email address or username to verify against.
Additional context
NIST recomendation:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
Passwords obtained from previous breach corpuses. Dictionary words. Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’). Context-specific words, such as the name of the service, the username, and derivatives thereof.
Related
- https://github.com/FusionAuth/fusionauth-issues/issues/2734
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
Thanks for the suggestion @Diane-Rose22 . Unfortunately we have a full roadmap right now, but when we revisit this functionality, we'll review this issue.
