Increase password strength in Plone 6

[zopyx]

The minimum pw length in Plone 6 is still 5. Please increase min length to at least 8 or 10 chars.
5 chars is completely unacceptable in 2021 as out of the box configuration.

[zopyx]

The password length in 6.0.0b1 is still 5 chars

[mauritsvanrees]

I agree that we should increase this.
Does anyone know where the code lives that checks this? I would guess PlonePAS, but I have not looked.

[davisagli]

@mauritsvanrees the password reset form is in https://github.com/plone/plone.app.users/blob/master/plone/app/users/browser/passwordpanel.py. It uses portal_registration.testPasswordValidity to validate the password, which is in https://github.com/plone/Products.CMFPlone/blob/master/Products/CMFPlone/RegistrationTool.py#L182 and calls all IValidationPlugin plugins from PAS. The default one is indeed in PlonePAS: https://github.com/plone/Products.PlonePAS/blob/master/src/Products/PlonePAS/plugins/passwordpolicy.py

[rohnsha0]

@davisagli @mauritsvanrees Just needed to change the required password length in the password reset form... Right?

[zopyx]

@davisagli @mauritsvanrees Just needed to change the required password length in the password reset form... Right?

A modern authentication solution should enforce a decent password policy. And this is not only 8-10 chars at least, but also a combination of chars, numbers, special chars.

[rohnsha0]

Ah okay...

[yurj]

@davisagli @mauritsvanrees Just needed to change the required password length in the password reset form... Right?

A modern authentication solution should enforce a decent password policy. And this is not only 8-10 chars at least, but also a combination of chars, numbers, special chars.

But this is not the issue. I think a Plip is required to give it a modern shape. I think:

• using a modern library to manage the options and checks
• expose the options in the control panel

[mauritsvanrees]

For Plone 6.0 I would already be happy if the standard length is increased to 8. Not anything fancy.

Bonus points if this is a property that you can set in the ZMI. Then I would say: use 10. It is easy enough for admins to adjust it if wanted.

Or set it in the configuration registry, and add it to the security settings. But then it already begins to sound fancy. And maybe we should not simply expose the password length here, but allow admins to choose from a few password policies. Even more fancy, and not really something to do in the beta phase.

Are there any public packages that define a different password policy, maybe in the collective? Ah, Products.PasswordStrength, with some discussion on whether or not to merge it into core. We could consider adding some policies in Plone 6.1.

Note: plone.app.testing will likely have a too small password value. So several tests may fail. Same for plone.app.users.

[davisagli]

plone/Products.PlonePAS#69 increased the minimum password length to 8 characters

[tschorr]

@davisagli @mauritsvanrees p.restapi currently doesn't validate passwords, resulting in Volto bypassing the default password policy s. plone/plone.restapi#1630.