yii2-usuario

yii2-usuario copied to clipboard

An admin should be able to impose restrictions on password complexity. For example:

1. require one (or more) capital
2. require one (or more) number
3. require one (or more) special character
4. forbid common words in password (username, email user portion)
5. ... others?

The easiest approach would be to add a configuration parameter with a custom regexp, so an admin can set (almost) all the rules above with a single option. To ease implementation we can add to the docs some rules for the more common cases.

Another option is to set a config parameter for each of the above cases (considering what we think it's worth to implement).

Discussion is open, comments welcome.

Had developed a password strength validator extension for this which can be used. It also has a password strength meter as input if needed - refer docs & demo.

@maxxer I am not sure about this option. To be honest, I find it terribly annoying for a user to follow the password rules of an app. Whilst I think is a good thing to inform the user that his password is weak (which anybody could do by adding their preferred plugin on the registration view and override it) I really do not know about forcing them to create X factor password nor injecting more external dependencies to the module.

@kartik-v thanks for the reference.

I agree. The rules quoted date back to Microsoft in the early 90s which I helped develop and reflect the limitations of processor speeds of that era. We've come a long way since then in calculating password strength.

The Microsoft rules are brute forceable in a relatively short amount of time.

Better to encourage longer passwords that are easier to remember. My method is look at a well known object. Describe it in four words. Use that description for the password. (i.e. "GreyTissueFauxFloral" which is a description of the box of tissue on my desk)

The current magic number is about 16 characters. Using rules above are gravy. Intentional misspelling of words is gravy (i.e. "Faux" for "Box").

@maxxer I am not sure about this option. To be honest, I find it terribly annoying for a user to follow the password rules of an app. Whilst I think is a good thing to inform the user that his password is weak (which anybody could do by adding their preferred plugin on the registration view and override it) I really do not know about forcing them to create X factor password nor injecting more external dependencies to the module.

@kartik-v thanks for the reference.

For me the strength validator from @kartik-v did the job almost perfectly.

There's only one problem - automatically generated passwords don't meet my strength criteria :)

It would be very useful if one could set (e.g. through some configuration parameters) minimum length and character sets for the generated passwords. Or at least the possibility to extend and override SecurityHelper class - that would be enough, because generatePassword function is pretty simple.

BTW, as for the point of using complex password rules - sometimes it's not a matter of our choice, but a customer requirement or even country-level regulation (as it used to be in Poland).