Require password complexity #3205
Conversation
| @@ -395,4 +395,7 @@ The {2} Team</value> | |||
| <data name="PackageCreatedFromApi" xml:space="preserve"> | |||
| <value>Package created from API.</value> | |||
| </data> | |||
| <data name="PasswordValidationFailure" xml:space="preserve"> | |||
| <value>Use atleast 8 characters and include one uppercase letter, one lowercase letter and a digit. </value> | |||
There was a problem hiding this comment.
at least (missing the space) #Resolved
|
Correct me if I'm wrong, but this only enforces that the password is secure on registration, right? This doesn't prevent users from resetting their password to something that's not allowed on the accounts page or by following the forgot my password flow, right? #Resolved |
| internal static readonly Regex UsernameNormalizationRegex = | ||
| new Regex(@"[^A-Za-z0-9_\.-]"); | ||
| internal const string PasswordValidationRegex = | ||
| @"^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).{1,64}$"; |
There was a problem hiding this comment.
Comment would indeed be good, the {1,64} confuses me - Is this RegEx allowing passwords of 1 character length? #Resolved
|
The |
|
I'd be interested to hear answer to @scottbommarito's question above about password reset flow, other than that LGTM. #Resolved |
|
Good catch :) In reply to: 240892895 [](ancestors = 240892895) |
|
Added hints: #Resolved |
|
We should change the text to the below. Otherwise looks good. Your password must be at least 8 characters, should include at least one uppercase letter, one lowercase letter and a digit #Resolved |
|
I think you're still missing the ResetPassword flow, I only see Register and Change Password. |
|
Thanks! In reply to: 241141008 [](ancestors = 241141008) |
| @@ -53,6 +53,7 @@ public class ChangePasswordViewModel | |||
|
|
|||
| [Required] | |||
| [Display(Name = "New Password")] | |||
| [RegularExpression(RegisterViewModel.PasswordValidationRegex, ErrorMessage = RegisterViewModel.PasswordHint)] | |||
There was a problem hiding this comment.
Nit, but I think it would better to have a help class somewhere containing these RegEx and hints statically so we don't have ViewModels referring to other ViewModels, but it's fine to have it like that. #Resolved
|
LGTM! #Closed |
|
@yishaigalatzer @harikmenon , can I merge? #Closed |
|
|
This change won't break users. Simply, the next time they create a password, the requirements will be more severe. #Closed |
| [InlineData("aaAAaaAAaaAA")] // No digit | ||
| [InlineData("12345678a")] // No upperscase letter | ||
| [InlineData("12345678A")] // No lowercase letter | ||
| [InlineData("1aA")] // Too short |
There was a problem hiding this comment.
Add more trivial cases
single letter
single upper case letter
single number
just a number
special chars #Resolved
|
We are considering making password complexity configurable. This will allow users deploying gallery on their own servers to control the password complexity they require from their users.
Do you think this feature is important for our users? Should we enforce password complexity by default to make our customers more secure, even if they have their own deployments? @yishaigalatzer @robertmuehsig @maartenba @xavierdecoster @dtivel @qianjun22 |
|
An on/off flag would be useful for toggling the feature. I think a configurable regex can be implemented later based on feedback. #Closed |
|
The cost of implementing configuration is negligible, compared to a switch. Lets not push it out, either do it or not. #Closed |
|
+1 on configurable regex with default value enforcing the rules outlined in this issue #Closed |
|
a new version: password regex was made configurable. Please review again #Closed |
| @@ -174,6 +174,14 @@ public class AppConfiguration : IAppConfiguration | |||
| /// </summary> | |||
| public string EnforcedAuthProviderForAdmin { get; set; } | |||
|
|
|||
| [Required] | |||
| [DefaultValue("^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]).{8,64}$")] | |||
There was a problem hiding this comment.
I think the default should be any string. That way if anyone wants to use it will set it as appropriate, or may be provide a way to disable configuration?
.*
``` #WontFix
There was a problem hiding this comment.
I think the default behavior should be as specified above (unless I'm missing something). I would add a comment explaining what this regex supposed to do #Resolved
|
Looks good. #Closed |
| namespace NuGetGallery.Infrastructure | ||
| { | ||
| [AttributeUsage(AttributeTargets.Property)] | ||
| public sealed class GalleryPasswordValidationAttribute : ValidationAttribute |
There was a problem hiding this comment.
nit: I would call this PasswordValidationAttribute the gallery is unnecessary #Resolved
|
|
When nit comments addressed
Require password complexity: atleast 8 characters, one uppercase letter, one lowercase letter, and a digit.
@maartenba @blowdart @yishaigalatzer @qianjun22