Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

As a Super User, I want to force all users to use strong, secure passwords for their Matomo account #19961

Open
mattab opened this issue Nov 7, 2022 · 2 comments
Open

As a Super User, I want to force all users to use strong, secure passwords for their Matomo account #19961

mattab opened this issue Nov 7, 2022 · 2 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Milestone
5.x.0 - Priority ...

Comments

@mattab
Copy link
Member

mattab commented Nov 7, 2022

As a Super User, I want to force all users to use strong, secure passwords for their Matomo account.

This is important as it will help increase the security of the data stored in Matomo.
By ensuring that all users have strong passwords, and that they are forced to set a strong password.

Potential solution:

  • A new General setting, "Force all users to set a strong, secure password. " (<- confirm wording + inline help microcopy)
  • where to put the setting? Ideally we would merge "Login" and "TwoFactorAuth" sections (in "General settings" page) into one section "Login & Security" that would have all settings nicely in one section?

By default, we should use an existing/standard set of strong password checks.
How much do we let super users customise the password policy details (number of min chars, etc. etc.)?

Here is what it looks like in discourse, which would be a great place to start:
image

Here is the text version:

min password length
Minimum password length.

min admin password length
Minimum password length for Admin.

password unique characters
Minimum number of unique characters that a password must have.

block common passwords
Don't allow passwords that are in the 10,000 most common passwords.

Other notes:

Out of scope:

  • Force people to change their password every X weeks is not included in this scope

This feature will be combined with other changes:
@mattab mattab added Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. labels Nov 7, 2022
@mattab mattab added this to the Impact Backlog milestone Nov 7, 2022
@mattab mattab mentioned this issue Nov 7, 2022
Closed
@tsteur tsteur mentioned this issue Dec 13, 2022
Open
@mattab mattab mentioned this issue Dec 10, 2023
Open
@MatomoForumNotifications
Copy link

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/weak-passwort-policy-password-enforcement-passwordpolicyenforcer-on-matomo-5/55716/6

@heurteph-ei
Copy link

Note:
https://plugins.matomo.org/PasswordPolicyEnforcer?matomoversion=4 is no more maintained for more than 3 years... (last commit on October 2020, the 12th)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Projects
None yet
Milestone
5.x.0 - Priority issues
Development

No branches or pull requests
3 participants
@mattab @heurteph-ei @MatomoForumNotifications