🚀 Feature: Ability to configure password policy

[yonarbel]

🔖 Feature description

Configuring password policy which will be enforced for basic authentication registration

🎤 Pitch

As an admin, I’d like to have an option to set requirement for a password policy so when user registering To the system, he will have to fulfill the minimal requirement.

as for phase 0 this can be implemented like

{
 minLength: number,
 requireSpecialChar: []string,
 requireNumber:boolean,
 requireCapital: boolean
}

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[eldadfux]

Sounds like a very cool feature. One doubt that I have is about the requireSpecialChar, wouldn't it make more sense to just use a boolean with a predefined list or ranges of what a special char is? Wouldn't it make it a bit complex if each project would have its own definition of what a special char is?

Some other ideas I had for password policies are:

• Password history: remembering X number of previews password and not allowing to reuse them
• Password expiry: forcing users to reset password after X time
• Common passwords: prohibiting the usage of common passwords, maybe with a DB like this one: https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-10000.txt
• Compromised password: prohibiting usage of compromised password with a DB like: https://haveibeenpwned.com/

For the UI, I think something like this could work well:

[yonarbel]

It depends if you want to set a predefined specialChar or let the admin decide what are special chars this also gives the possibility to the Frontend to explain the user exactly what kind of special char should be in

also, I think your suggestion are great!
But it’s kinda another feature of “secuirty configuration”

my suggestion for phase0 related to the password policy only, but of course adding security settings section with these options can be great.. also set a max attempts of fail password before getting locked out and brute force mechanism for login attempts (maybe exist didn’t check) can be awesome as well

[eldadfux]

Yeh I totally agree we shouldn't couple all the features together, it will just slow everything down. We do have brute force protection in place, but it's predefined and not configurable.

[ItzNotABug]

@eldadfux
Since the password history was added in the latest Appwrite release, any plans for the password complexity (lowercase, one uppercase, one number, one special char) in the upcoming releases?

[Horsty80]

It's still open, since 2022, any news on it ?

[eldadfux]

We did introduce some policies, while not high priority we would still like to introduce new ones.