@Findus23 opened this Issue on November 3rd 2018 Member

similar to #13070 (show a strength meter in the browser)

At the moment the only limitations for Passwords in Matomo is that it needs to be from 6 to 200 characters long.
https://github.com/matomo-org/matomo/blob/b178978b979c5dcf20fe81a9b28034c0de4ce90e/plugins/UsersManager/UsersManager.php#L27-L28

But for organizations who have many employees it might be useful to disallow really weak passwords (123456).

Maybe for the beginning it would be enough to make the PASSWORD_MIN_LENGTH configurable (to avoid having overly complex password rules that force people to write down their passwords)

In addition it may be an idea for an plugin that checks all password hashes against https://haveibeenpwned.com/Passwords and disallows ones that are over a set threshold to avoid trivial passwords.

@Findus23 commented on November 6th 2018 Member

It turns out that thanks to the existing event, adding a haveibeenpwned-integration is really easy:

https://plugins.matomo.org/PasswordVerifier

@simivar commented on April 7th 2019 Contributor
@Findus23 commented on May 23rd 2020 Member

I think with my plugin using haveibeenpwned and @simivar's plugin with common rules and the possibility to easily write a plugin that enforces any arbitrary rule, this should be solved.

This Issue was closed on May 23rd 2020
Powered by GitHub Issue Mirror