Hello,
Currently, there is no validation mechanism for user passwords, except checking that they are at least 6 (branch 6.x) or 8 (branch master) characters long. This allows very weak passwords to be used, this can be a security issue.
We (inria) would like to add at least some basic password constraints.
Here's a patch adding simple password validation which ensures that passwords contain at least one lower case letter, one upper case, one digit, and one non-alphanumeric char. This is checked both when creating an account or when changing an account's password.
Related info strings and error messages for users are also added, using the localization mechanisms.
There's additionally, a few refactoring / fixes of password validation code.
Also, as this may cause some problems for particular fusionforge instances, there's a boolean config option checkpasswordstrength to deactivate this validation. By default, the password constraints are enabled.
cheers !
|