@Findus23 opened this Issue on November 3rd 2018 Member

similar to #13070 (show a strength meter in the browser)

At the moment the only limitations for Passwords in Matomo is that it needs to be from 6 to 200 characters long.
https://github.com/matomo-org/matomo/blob/b178978b979c5dcf20fe81a9b28034c0de4ce90e/plugins/UsersManager/UsersManager.php#L27-L28

But for organizations who have many employees it might be useful to disallow really weak passwords (123456).

Maybe for the beginning it would be enough to make the PASSWORD_MIN_LENGTH configurable (to avoid having overly complex password rules that force people to write down their passwords)

In addition it may be an idea for an plugin that checks all password hashes against https://haveibeenpwned.com/Passwords and disallows ones that are over a set threshold to avoid trivial passwords.

@Findus23 commented on November 6th 2018 Member

It turns out that thanks to the existing event, adding a haveibeenpwned-integration is really easy:

https://plugins.matomo.org/PasswordVerifier

Powered by GitHub Issue Mirror