Refactor password policy

[lc-thomasberger]

Expose in configuration. Unify validation and Feedback.

Affected Area

• create new User
• update password by User
• forgot password
• admin password reset

Requested Feature

As an admin I would like to define a pattern that is used to validate password strength. As an admin I would like to define what minimum password strength is required.

I think we can build upon the approach / code from here but make it more universal and allow configuration. https://github.com/adaptlearning/adapt_authoring/blob/master/frontend/src/modules/user/views/userProfileView.js#L79-L103

[lc-thomasberger]

Proposed solution:

• Add Serverside PW validation
• Refactor client side PW validation and add PW strength feedback where missing
• Expose required password length as integer in config
• Expose how many characters / numbers must be available for
  • Uppercase letter
  • Lowercase letter
  • Digits
  • Non alpha numeric characters

"passwordPolicy": {
    "length": 10,
    "digits": 1,
    "lowercaseLetters": 1,
    "uppercaseLetters": 1,
    "nonAlphaNumeric": 0
}

All new config options should have a default so it works out of the box. The config should not be part of the install prompt.

[lc-thomasberger]

Also this might be useful: Password cannot contain user's username, first name or last name.

[moloko]

I'd also suggest 'disallow commonly-used passwords', enabled by default.

can check for commonly-used password using something like https://www.npmjs.com/package/common-password-checker