Hi @simivar,

Thanks for your contribution. In the future it might be a good idea to comment on an issue indicating that you want to work on the issue, so that work is not duplicated. Often I open issues to start a discussion on how something should be solved and not as a finished proposal.

In this case I honestly thought about a config file parameter as I think this UI would be only useful for a very small fraction of Matomo users and another UI makes the settings even more complex. So maybe this could be extracted as a plugin.
But maybe someone else knows more?

@Findus23 sure, I'll remember that in the future.

I was thinking about adding options to config file but decided for UI mainly because of two things:

• not all users read what options are available in config files
• it should be encouraged to use Password Policy and to have all those options turned on, this way more people will see that and opt-in on that

If you strongly think that it should be moved to config I will gladly edit my PR.

it should be encouraged [...] to have all those options turned on

I highly disagree with this statement, see the discussion there: #14176

I think neither options nor config is needed and executing these checks for everyone without any setting or config should be fine. Yes you can have save passwords without a number, and having this or that doesn't make it safe... but it's still better maybe to just force different kind of characters (the UI doesn't need to say that makes it a strong password). Anyway, I would just not want any config or UI setting for this ideally. That's just me though.

If someone really needs this feature it should be easy to create a plugin similar to https://github.com/Findus23/plugin-PasswordVerifier/blob/master/PasswordVerifier.php that implements arbitrary rules.

@mattab what's your take on that?

Hi @simivar
Thank you for the Pull Request! It's a valuable feature 👍 But at this time we'd prefer to have this feature optional in a plugin rather than in core.
-> Would it be possible to move your feature to a plugin and publish it on the marketplace?

@mattab @Findus23
I've created https://github.com/simivar/matomo-password-policy-plugin. But, there's a problem. I get an e-mail stating:

-> The tag was created in the repository simivar/matomo-password-policy-plugin but we
expected the tag in PiwikPRO/plugin-PasswordPolicy. If the repository has moved, reply to
this email to prove ownership and indicate who the new owner should be. <-

From what I gather Matomo and PiwikPRO are two separate entities. I can't find "Password policy" plugin on Matomo Marketplace too. What should I do?

@simivar Every plugin ID has to be unique as that's what Matomo uses to identify plugins.

Even if the old plugin is removed from the marketplace (I think it is already or at least hidden on the public pages) having the same ID would maybe cause odd issues.

So I'd recommend you to just use another name for the plugin:
https://github.com/simivar/matomo-password-policy-plugin/blob/1839638a86ec612e0e1d340fb32e260fb4c9a46a/plugin.json#L2

@Findus23 I think that the list of all, even hidden, plugins should be searchable somewhere so that would be clear that such plugin name is taken.

@simivar so far I think this is only the first time this happened. I think the error message is somewhat helpful in this case but happy to change / improve it. Like we could say "If this is not your repo, please rename the plugin and publish it again". I'm thinking even if we have such a list available somewhere, devs might not look at it first and changing the plugin name later should be in most cases somewhat easy (find/replace). BTW: The reason it isn't showing this plugin is because it is only available up to Piwik 2. So over time (in a few years) this might become more of an issue and might need to actually make such a list available at some point.