mitre
[BUG] The password complexity requirements are counter to best practices
Describe the bug
We just setup Heimdall in a new environment and then spun our wheels for a while trying to change the admin password. We kept generating new random passwords, and they continued to fail the password complexity requirements.
This is counter to a variety of password best practices:
There should be no requirement for upper or lower case or numbers or special characters.
-- https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
Users also express frustration when online services reject their attempts to create complex passwords.
-- https://pages.nist.gov/800-63-4/sp800-63b.html#complexity
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.
-- https://pages.nist.gov/800-63-3/sp800-63b.html?utm_source=chatgpt.com#:~:text=Verifiers%20SHOULD%20NOT%20impose%20other%20composition%20rules%20(e.g.%2C%20requiring%20mixtures%20of%20different%20character%20types%20or%20prohibiting%20consecutively%20repeated%20characters)%20for%20memorized%20secrets.
To Reproduce
Steps to reproduce the behavior:
- Deploy a new copy of Heimdall
- Try to change the admin password, using a random password generator
- Repeat step 2 until success.
Expected behavior
I would expect Heimdall2 to follow current best practices on password complexity.
Screenshots
Desktop (please complete the following information):
- OS: Linux
- Browser: Chrome
- Version: 143.0.7499.109
