Allow admin to define a password rules

[schiessle]

I will start working on a app which let the admin define some rules for passwords.

Scope

• public link passwords
• login passwords (for local user back-end)

Rules

• define a minimum length of the password
• enforce upper/lower case
• at least one numeric character
• at least one special character

Did I miss something?

Development started here nextcloud/password_policy#1
Added events to core: #221

cc @karlitschek @LukasReschke @MorrisJobke @blizzz

[karlitschek]

sweeet. i think this should be all

[LukasReschke]

login passwords (for local user back-end)

I doubt that ownCloud has this. Furthermore, this is usually considered snake-oil and it has been proven that this actually decreases security.

Something more reliable in this case usually is what for example Discourse does:

• Define minimum password length (e.g. 8 characters)
• Ship a JSON file of the 1 million or 100'000 most used passwords (you can get them in the internet) and forbid to use it if it is on it.

I'd HIGHLY advocate to go this approach for the login passwords as well as the share passwords instead. We won't add a highly complicated GUI plus it is technically more secure. Plus easier to implement ;-)

You can get a list from https://github.com/danielmiessler/SecLists/tree/master/Passwords and an example implementation at https://github.com/discourse/discourse/tree/789a6aeb218f87395b82eb680e455e3147bac3b4/lib/common_passwords

[LukasReschke]

define a minimum length of the password

👍

enforce upper/lower case
at least one numeric character
at least one special character

👎 and go instead with an proposal as suggested at #213 (comment)

[karlitschek]

let's go with the same feature set for now.

[LukasReschke]

let's go with the same feature set for now.

Share link only passwords then, that should be easy as there are already hooks for that: \OC\Share::verifyPassword and \OC\Share::verifyExpirationDate. Both pass $accepted as reference.

[schiessle]

Share link only passwords then, that should be easy as there are already hooks for that: \OC\Share::verifyPassword and \OC\Share::verifyExpirationDate. Both pass $accepted as reference.

I would just solidarize the hooks while working on it and also add it to the normal password change. Shouldn't be a lot of work and with a dedicated hook other apps can also connect to it and verify their passwords if they wish.

[LukasReschke]

I would just solidarize the hooks while working on it and also add it to the normal password change. Shouldn't be a lot of work and with a dedicated hook other apps can also connect to it and verify their passwords if they wish.

Ok. Good point. 👍

[schiessle]

Merged and ready for Nextcloud 9.0.52