Allow admin to create a password policy #13666
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
not-in-changelog
For issues or pull requests that should not be included in our release changelog on matomo.org.
similar to #13070 (show a strength meter in the browser)
At the moment the only limitations for Passwords in Matomo is that it needs to be from 6 to 200 characters long.
matomo/plugins/UsersManager/UsersManager.php
Lines 27 to 28 in b178978
But for organizations who have many employees it might be useful to disallow really weak passwords (123456).
Maybe for the beginning it would be enough to make the
PASSWORD_MIN_LENGTH
configurable (to avoid having overly complex password rules that force people to write down their passwords)In addition it may be an idea for an plugin that checks all password hashes against https://haveibeenpwned.com/Passwords and disallows ones that are over a set threshold to avoid trivial passwords.
The text was updated successfully, but these errors were encountered: