ecamp3
ecamp3 copied to clipboard
ecamp
Minimal Requirements for password
Input from @usu: https://github.com/ecamp/ecamp3/pull/2557#discussion_r835866272
Some Links: https://github.com/rollerworks/PasswordStrengthValidator https://symfony.com/doc/current/reference/constraints/NotCompromisedPassword.html
to be implemented in Register and ResetPassword
See also the current recommendations of OWASP for password authentication: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Authentication.md#v21-password-security Specifically, the following rules are often surprising to people who are not up to date with current evidence-based security best practices:
2.1.1 | Verify that user set passwords are at least 12 characters in length (after multiple spaces are combined).
2.1.9 | Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters.
2.1.10 | Verify that there are no periodic credential rotation or password history requirements.
To add on this:
- Validation for min. length should already happen in frontend
- If validation fails in backend, validation error need to be shown in frontend
- A password meter would be nice, too (e.g. https://www.npmjs.com/package/vue-password-strength-meter)
Some more interesting points from ASVS:
2.1.2 | Verify that passwords of at least 64 characters are permitted, and that passwords of more than 128 characters are denied.
2.1.4 | Verify that any printable Unicode character, including language neutral characters such as spaces and Emojis are permitted in passwords.
Source: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Authentication.md#v21-password-security
| # | Description | eCamp v3 status |
|---|---|---|
| 2.1.1 | Verify that user set passwords are at least 12 characters in length (after multiple spaces are combined). (C6) | ✓ |
| 2.1.2 | Verify that passwords of at least 64 characters are permitted, and that passwords of more than 128 characters are denied. (C6) | ? |
| 2.1.3 | Verify that password truncation is not performed. However, consecutive multiple spaces may be replaced by a single space. (C6) | ? |
| 2.1.4 | Verify that any printable Unicode character, including language neutral characters such as spaces and Emojis are permitted in passwords. | ? |
| 2.1.5 | Verify users can change their password. | ✓ |
| 2.1.6 | Verify that password change functionality requires the user's current and new password. | ✓ |
| 2.1.7 | Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password. (C6) | x |
| 2.1.8 | Verify that a password strength meter is provided to help users set a stronger password. | ✓ |
| 2.1.9 | Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. (C6) | ✓ |
| 2.1.10 | Verify that there are no periodic credential rotation or password history requirements. | ✓ |
| 2.1.11 | Verify that "paste" functionality, browser password helpers, and external password managers are permitted. | ✓ |
| 2.1.12 | Verify that the user can choose to either temporarily view the entire masked password, or temporarily view the last typed character of the password on platforms that do not have this as built-in functionality. | x |