maker-bundle icon indicating copy to clipboard operation
maker-bundle copied to clipboard

Published 20 hours ago verified publisher icon symfony

Better security rules

Open Spomky opened this issue 2 years ago • 0 comments

Hi,

I recently prepared and organised workshops during the SymfonyLive Paris 2023 and noted that a few things could be enhanced in the make:auth command templates.

  • As the NotCompromisedPassword constraint exists, we could leverage on it and then deny compromised password when a password is reset. skipOnError is set to true meaning that we continue the process if the API cannot be reached or returns a HTTP error status code.

  • The OWASP recommends a minimum of 8 characters and a maximum of 64 (see the cheatsheet). I propose to stick of these values and especially the maximum length for the follwing main reasons:

    • There is no reason for using so long passwords.
    • bcrypt, which is the default hasing function at the time of writing, allows only inputs of 72 bytes

Spomky avatar Mar 23 '23 23:03 Spomky