Set password requirements

[armanddidierjean]

We should update our password validators to unsure new users' password are strong enough.

This need to be coordinated with Titan to make sur the requirements are the same on both sides

[Marc-Andrieu]

[NB for readers: now 2 years later, password management happens fully on CalypSSO, and a new password is checked using zxcvbn]

Do we still want this? This would only make a difference if one activates their account / changes their password directly through the API; in that case it's at their risk, isn't it?

[Marc-Andrieu]

Given that we have old users who created their account before the zxcvbn password entropy requirements, did you mean to check these requirements on every /login authentication attempt?

[Marc-Andrieu]

@armanddidierjean

[armanddidierjean]

Both are possible:

• Checking the strength of the password during activation/password change would not be a bad idea, but I agree with the recent development of CalypSSO this should not matter as much as before
• Based on Let admins invalidate the password of selected users #879 it would be possible to invalidate a password considered 'not strong enough' when the user login. I believe this use case will be limited: the majority of user should have a strong password. The few people with an old weak password probably don't use MyECL anymore.

I'm not sure my orginal idea of checking against zxcvbn in the back is really pertinent. Maybe simple checks would be enough: a password long enough... Though we would not have garantee that a password considered strong by zxcvbn would match our Hyperion settings...

[Marc-Andrieu]

Waw well spotted, I strongly appreciate your 2nd point involving #879!
That would obviously require it to be reviewed and approved beforehand...

You think the Python port of zxcvbn has a different behavior?