@ankush981 opened this Issue on June 18th 2018

I think it'd be helpful for the admin to have the following dynamic (JS-driven) indicators, just like WordPress:

  • Indicator for weak passwords
  • Indicator for when passwords don't match
@sgiehl commented on August 19th 2018 Member

That could also be added in admin when changing the own password or creating new users

@mattab commented on August 28th 2018 Member

Thanks for the suggestion, it would be great & valuable to encourage users to create strong passwords.

Maybe we could create+link to a FAQ on Matomo.org explaining that it's important to use password managers, and store the encrypted database on a backed up drive.

Regarding the indicator when password don't match... maybe we could even remove the need to type the password twice, and only have the password field once? As long as people have a valid email address in their profile they can easily reset the password if there was a typo.

@tsteur commented on August 31st 2018 Member

You could also include a most popular password list and throw an error if the entered password appears in there

@Findus23 commented on September 27th 2018 Member

I'm moving this to 3.7 as it has a huge security benefit. (move it back, if you have planned it for a later release)
I also like @tsteur's idea of rejecting (or at least warning about) common password.
Maybe this could even be combined with the new have-i-been-pawned api:

@tsteur commented on March 11th 2019 Member

Moving it back to the backlog as it currently doesn't have a priority.

@Findus23 commented on May 24th 2020 Member

I disagree with my old post above. I don't think (anymore) that a password strength indicator has a huge security benefit.
For stopping terrible passwords the plugins in https://github.com/matomo-org/matomo/issues/13666 are enough.

And any indicator is either incorrect or too simplified or ends up replicating Dropbox's zxcvbn which is too huge for frontend. And one can already easily write a plugin that validates submitted plugins with it.

Powered by GitHub Issue Mirror