Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow admin to create a password policy #13666

Closed
Findus23 opened this issue Nov 3, 2018 · 4 comments
Closed

Allow admin to create a password policy #13666

Findus23 opened this issue Nov 3, 2018 · 4 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.

Comments

@Findus23
Copy link
Member

Findus23 commented Nov 3, 2018
edited

similar to #13070 (show a strength meter in the browser)

At the moment the only limitations for Passwords in Matomo is that it needs to be from 6 to 200 characters long.

matomo/plugins/UsersManager/UsersManager.php

Lines 27 to 28 in b178978

const PASSWORD_MIN_LENGTH = 6;
const PASSWORD_MAX_LENGTH = 200;

But for organizations who have many employees it might be useful to disallow really weak passwords (123456).

Maybe for the beginning it would be enough to make the PASSWORD_MIN_LENGTH configurable (to avoid having overly complex password rules that force people to write down their passwords)

In addition it may be an idea for an plugin that checks all password hashes against https://haveibeenpwned.com/Passwords and disallows ones that are over a set threshold to avoid trivial passwords.
@Findus23 Findus23 added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: New plugin For features that probably will not be added to Matomo, but could be implemented as plugins. labels Nov 3, 2018
@Findus23
Copy link
Member Author

Findus23 commented Nov 6, 2018

It turns out that thanks to the existing event, adding a haveibeenpwned-integration is really easy:

https://plugins.matomo.org/PasswordVerifier

@Findus23 Findus23 removed the c: New plugin For features that probably will not be added to Matomo, but could be implemented as plugins. label Nov 6, 2018
@simivar simivar mentioned this issue Mar 31, 2019
Closed
@simivar
Copy link
Contributor

simivar commented Apr 7, 2019
edited

@Findus23 like discussed in #14295 I've created new plugin that is available on marketplace: https://github.com/simivar/matomo-password-policy-enforcer
https://plugins.matomo.org/PasswordPolicyEnforcer

@Findus23
Copy link
Member Author

I think with my plugin using haveibeenpwned and @simivar's plugin with common rules and the possibility to easily write a plugin that enforces any arbitrary rule, this should be solved.

@Findus23 Findus23 mentioned this issue May 24, 2020
Open
@Findus23 Findus23 added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Jun 4, 2020
@mattab
Copy link
Member

mattab commented Nov 7, 2022

FYI we're thinking of implementing something simple for password policy in core, see #19961

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mattab @simivar @Findus23