As a Super User, I want to force all users to use strong, secure passwords for their Matomo account #19961
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Enhancement
For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Milestone
As a Super User, I want to force all users to use strong, secure passwords for their Matomo account.
This is important as it will help increase the security of the data stored in Matomo.
By ensuring that all users have strong passwords, and that they are forced to set a strong password.
Potential solution:
By default, we should use an existing/standard set of strong password checks.
How much do we let super users customise the password policy details (number of min chars, etc. etc.)?
Here is what it looks like in discourse, which would be a great place to start:
Here is the text version:
Other notes:
if we implement the
Don't allow passwords that are in the 10,000 most common passwords.
this would be similar, but different, from https://plugins.matomo.org/PasswordVerifier#description which sends some hash of password to an API (which we wouldn't want to do)there is also a plugin for password policy but we wouldn't do it exactly like in that plugin (would rather do it like Discourse does (see above)) https://plugins.matomo.org/PasswordPolicyEnforcer#preview
Out of scope:
This feature will be combined with other changes:
The text was updated successfully, but these errors were encountered: