polished
polished copied to clipboard
Tychobra
Password Rules
@merlinoa Is it possible to enforce some password rules for password creation? We're doing a security audit and wanted to know if we can enforce a standard or see what the Polished standard is (e.g. length, complexity, special chars). @assanstreamline
I've had this request before, and the difficulty is that we would have to apply the same rules to the password reset page or the user would be able to change their password and the custom rules on registration would not apply. The password reset page is served from the API, not the shiny app. Some possible work arounds:
- move the password reset page to the shiny app and allow the user to customize it (but this would require the user to set their url for it to work; password reset would not work on localhost). This would also require a decent amount of customization by the polished user.
- have some default password difficulty options added as editable options on each app on dashboard.polished.tech (e.g. length, complexity, special chars). We have to save the password difficulty settings in the db so that we could apply them to the password reset page.
I'm leaning towards option 2. Would that work in your case?
Another possible solution would be to avoid passwords altogether, and enable email link sign in, where, each time your sign in, all you enter is your email address (no passwords involved ever). Each time you enter your email to sign in, you get an email with a link that you click to sign in. I think I would rather set this up than either of the password difficulty work arounds. Would this pass your security audit?
For our current requirements, we simply need to indicate that the passwords for Polished.tech are strong/complex. Option 2 would reinforce this and allow us more customization if necessary, but my guess is that Polished's defaults are good enough.
The no-password solutions would also likely work around our security audit, but we are less apt to adopt that so that users don't need to check their email at each login (is that the behavior that would result?)