Elasticsearch: Allow enforcing minimum password strength

Created on 10 Feb 2017  路  2Comments  路  Source: elastic/elasticsearch

Original comment by @loekvangool:

We should allow administrators to add more requirements to passwords. We now (5.0.0) enforce a minimum length of 6 (at least in UI), but many enterprises require more.

Taking inspiration from Wikipedia, we could support:

  1. the use of both upper-case and lower-case letters (case sensitivity)
  2. inclusion of one or more numerical digits
  3. inclusion of special characters, such as @, #, $
  4. prohibition of words found in a password blacklist
  5. prohibition of words found in the user's personal information
  6. prohibition of use of company name or an abbreviation
  7. prohibition of passwords that match the format of calendar dates, license plate numbers, telephone numbers, or other common numbers

I'm proposing that out of these we at least add support for 1, 2, 3. Bonus kudos if we support LINK REDACTED, which basically means: if the password reaches a minimum length of, say, 20, drop the other rules.

:SecuritAuthentication >enhancement Security
Source
picture elasticmachine
👍8

Most helpful comment

  1. Force user to change password after first login
picture synapticiel on 22 Jul 2019
👍3

All 2 comments

  1. Force user to change password after first login
synapticiel picture synapticiel on 22 Jul 2019
👍3

is there any due date for this?

mmmichal picture mmmichal on 6 Oct 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rjernst picture rjernst  路  3Comments
matthughes picture matthughes  路  3Comments
ppf2 picture ppf2  路  3Comments
dadoonet picture dadoonet  路  3Comments
clintongormley picture clintongormley  路  3Comments