Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flexible password policy with hook and metadata #418

Open
louischan-oursky opened this issue Feb 21, 2020 · 3 comments
Open

Flexible password policy with hook and metadata #418

louischan-oursky opened this issue Feb 21, 2020 · 3 comments
Labels
area/User Auth

Comments

@louischan-oursky
Copy link
Contributor

Description

Our password policy currently supports

  • At n characters long
  • At least 1 ASCII uppercase character
  • At least 1 ASCII lowercase character
  • At least 1 ASCII digit
  • At least 1 ASCII printable symbol
  • A static list of excluded keywords
  • zxcvbn guessable level
  • password history

However, the developer may further want to restrict the user not to have their password contains the value of metadata. For example, the metadata may look like

{
  "name": "Louis Chan"
}

The developer may want to enforce that the password does not contain the substring louischan, louis or chan. There are many other rules that one can think of.

Passing the plain password in the hook is not a good idea. The developer may tempt to store it, or even store it in plain text.

I am think of in before_password_update hook, the developer can return a list of rules that the password must validate against. The example here is written in s-expression.

(must-not (contains (map lowercase (split "\\s+" (metadata "name"))) password))

Blog Post Specification

Blog Post of the Feature Release

Open Questions

Put a list of open questions here before a complete design / specification is decided

Related Issues

  • Server Issues
  • Client Issues
  • Guides Issues
@chpapa
Copy link
Contributor

chpapa commented Feb 21, 2020

Your solution is definitely more flexible. But I'm also thinking if we end up metadata is a common use cases, maybe we can simply add a setting to let user specifiy some metadata fields' keywords can't appear in password?

@louischan-oursky
Copy link
Contributor Author

My original solution may be a bit too complex. A balanced solution could be in the before_password_update hook, the developer can return a list of words that cannot appear in the password. This is simpler than my original solution yet offer the flexibility to let the developer to derive a list of words from the metadata.

@chpapa
Copy link
Contributor

chpapa commented Feb 21, 2020

Sounds like could be both solutions (configuration to avoid keywords in metadata, return s-expression / keywords that cannot appear in the password) let's see which one is more useful in real life

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/User Auth
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chpapa @louischan-oursky