[Fusionforge-general] fusionforge account password validation

Michael Kluge michael.kluge at tu-dresden.de
Wed Aug 10 07:47:29 CEST 2016


My 2 cent: I have each password input checked against a regular expression 
(which is in the config). Thus, I can adapt this easily as password rules get 
updated. Should I try to submit this as a patch? What actually would be needed 
as well in the config (did no do this yet) is an explanation of the password 
rules (maybe in HTML). This would each site allow to use the local rules and 
to put explanations into the fusionforge config.

Regards, Michael

> Currently, there is no validation mechanism for user passwords, except
> checking that they are at least 6 characters long. This allows very
> weak passwords to be used, this can be a security issue.

In the master branch, password must be 8 characters long.

> We (inria) would like to add at least some basic password validation.

+1

>
> I've added simple password validation which ensures that passwords
> contain at least one lower case letter, one upper case, one digit, and
> one non-alphanumeric char. This is checked both when creating an
> account or when changing an account's password. Additionally, as this
> may cause some problems for particular fusionforge instances, I've
> added a config option (check_password_strength boolean) to deactivate
> this validation.
>
> patch attached.

Could you rebase your patch against latest master?
Then could you create a "feature request" artifact and attach your patch?

I will take a look after my vacation :-)
Meaning: end of August.


Regards,
Franck

--
TrivialDev Founder
http://trivialdev.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6108 bytes
Desc: not available
URL: <http://lists.fusionforge.org/pipermail/fusionforge-general/attachments/20160810/32fd650f/attachment.bin>


More information about the Fusionforge-general mailing list