View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|14636||Feature requests||Security||public||2019-03-12 15:22||2020-08-26 15:50|
|Summary||14636: Admin password restriction|
|Description||It can be great to have an admin password restriction (or a plugin event for this (if it's already here : OK, i do the core plugin))|
|Additional Information||Default take from config.php|
Restricted super admin have a screen to update
Taken from nextcloud :
- Minimum size
- Prohibit current passwords
- Imposing uppercase and lowercase characters
- Imposing numbers
- Imposing special characters
- Check the password against the list of violated passwords on haveibeenpwnd. com (maybe not this one).
config-default.php can be min size to 8 for starting
|Tags||No tags attached.|
|OK in 4.0 ? Or did you already have a plugin for this ?|
DenisChenu, are you thinking of e.g. a new global setting at which superadmins can define the minimum password requirements by using the list you added above? That would be pretty useful.
I guess there are proper regex for checking the password requirements outlined above?
Yes, in admin GUI.
Maybe on a core plugin activated by default ;)
I can do it for 4.0, i just wait …
I have code to enforce minimum password strength for Version 3.17.0+190402 see: https://bugs.limesurvey.org/view.php?id=9599
I will share the code update the above issue report by Monday next week.
I have made modifications to the LS 3.x core to enforce password strength when an admin is editing a user account, or when a user edits their own password settings.
My solution doesn't use the gettranslation feature as I only required my solution to be in English. If this ends up in core, of course, texts should be translated.
The changes were made against build Version 3.17.0+190402, and involved the files:
Password criteria can be specified via the config.php, using this format (min and mix refer to required length of the password, upper refers to uppercase, numeric is obvious, as is symbol.
// Update default LimeSurvey config here
'params' => array(
'passwordValidator' => array(
'min' => 10,
'max' => 22,
'upper' => 3,
'numeric' => 1,
'symbol' => 2,
/* End of file config.php */
application.zip (20,280 bytes)
|Can you make a PR on github, please?|
@DenisChenu, @cdorin, the feature for defining the PW strength was added to LS4, see https://github.com/LimeSurvey/LimeSurvey/blob/master/application/config/config-defaults.php#L795 and https://github.com/LimeSurvey/LimeSurvey/commit/b8d7499e05977abffe8811b88588c56f8c74b46c but documentation is missing.
Please make sure that this gets documented at the Limesurvey manual. Otherwise most users will not be aware that this actually exists. A feature not documented is a feature not used.
If needed I can take care of the German translation afterwards. Just post the link here.
|I'm not the dev … then i don't update manual …|
|So who actually implemented this?|
|2019-03-12 15:22||DenisChenu||New Issue|
|2019-04-04 07:57||DenisChenu||Relationship added||has duplicate 14736|
|2019-04-04 07:58||DenisChenu||Assigned To||=> c_schmitz|
|2019-04-04 07:58||DenisChenu||Status||new => feedback|
|2019-04-04 07:58||DenisChenu||Note Added: 51334|
|2019-04-05 08:54||Mazi||Note Added: 51359|
|2019-04-05 08:57||DenisChenu||Note Added: 51362|
|2019-04-05 08:57||DenisChenu||Status||feedback => assigned|
|2019-04-05 08:58||DenisChenu||Note Edited: 51362||View Revisions|
|2019-04-12 22:06||blocka||Note Added: 51462|
|2019-04-13 05:11||blocka||File Added: application.zip|
|2019-04-13 05:11||blocka||Note Added: 51463|
|2019-04-15 18:02||ollehar||Note Added: 51472|
|2019-04-15 20:05||blocka||Note Added: 51473|
|2020-08-24 13:09||Mazi||Note Added: 59588|
|2020-08-26 15:38||DenisChenu||Note Added: 59638|
|2020-08-26 15:50||Mazi||Note Added: 59639|