@brianteeman Do you know if we have some regex already somewhere for checking password strength with some kind of minimum requirement, but safe enough for installation? If not, maybe you can suggest a regex? I would know where to implement the check then.

Update: Or just suggest the rule, I could make the regex myself.

Same with some language string: Do we already have one for a suitable validation error message?

See #27253 and the comments

I see, thanks. Let's see if someone wants to make a PR.

Related #20312

Well, JS it would need for a nice solution with a password strength meter. With this I can't help.

What I could do - and maybe it should be done anway as a second line of defense even if there is a client-side validation - is to add a server-side validation against some minimum, hard-coded requirements (which we first have to agree about) to the setup model.

@SniperSister Would you recommend that, a server-side check in PHP using a regex? If so, what should be the hard-coded requirements? Minimum 1 character of each kind (lowercase, uppercase, digit, symbol) and minimum length of 8? Or better 10?

@richard67

If you really want to enforce your password policy, you have to enforce it on the serverside of things for obvious reasons. In this case however, I think that a JS-based solution is good enough if that makes everyones live easier.

Regarding the complexity question: the topic has been raised for j.org properties too (see joomla/joomla-websites#1454, cc'ing @brianteeman).

Length: A min length of 8 characters is a no-brainer; considering that the super admin account is a rather critical asset, I would suggest that we even use 10.

Complexity: The current policy, at least on the JCM site, seems to require at least one symbol. Some entities specifically recommend such an enforcement (i.e. www.enisa.europa.eu), others strongly advocate against it (i.e. NIST). We will discuss that question in the next JSST meeting and afterwards I'll get back to you.

I am not sure where enisa make that recommendation about symbols. All I found was this article where is stresses that you should use a password manager. The UK NCSC specifically say they do "not recommend the use of complexity requirements" other than for minimum length.

As neither google, firefox or keepass and probably others (just not tested them) can not be forced to include a symbol and do not include a symbol by default then the rule makes using a password manager harder not easier.

Quoting the enisa Password best practice:

Use complex passwords longer than 8 characters, which contain alphanumeric and special characters

German BSI either recommends "short and complex" (8-12 characters, lowercase, uppercase, digits and symbols) or "long and simple" (20 to 25 characters, two sorts of characters).

thanks.

If the policy prevents the usage of a password manager then it's a bad policy from my perspective no matter what type of character is used.

If the policy prevents the usage of a password manager then it's a bad policy from my perspective no matter what type of character is used.

I see your point. However not all users are using a password manager, so giving guidance to people entering a short and potentially unsafe password is equally important.

I kind of like the combination approach:
If your password is short (8-12 characters) you need an extra symbol to increase complexity, if it's longer (which should be the case for a password manager) less complexity is ok.

What do you think about that?

Why are you even discussing this. Why not just adopt the default settings that Joomla applies after installation in User manager, to before the installation, when setting the super admin password.

After standard installation, with no changes, its impossible to set a password as a in User Manager.

The (insane) defaults currently are

Its a whole difference conversation to have about what minimum standards Joomla should apply. The current minimum length of 4 for example is insane and way below any acceptable standard produced by any authority - however its up to the site admin to set THEIR own rules and not for Joomla to enforce any on a site

Therefore the fix for this reported issue is to make the super admin password validate against the same rules that the User Manager uses by default. (And if Joomla wishes to upgrade those minimum requirements, then that's a whole different topic of conversation!)

And for the record, 1Password.com and all its apps can and do generate passwords with a combination of symbols however you want it.

The UK Cyber Essentials guidelines - used by government organisations looking for funding, require a minimum of 8 chars and NO OTHER RULES as other rules actually decrease the chances of a human selecting a secure password. They do however insist that users are prompted to, and encouraged to use a password manager and 2FA (Although Joomla refuses to enable 2FA by default as evidenced in past issues)

Amazon:
“Please use at least 8 characters. A minimum of 6 is required; a maximum of 128 is allowed. While not required, adding numbers or special characters to your password will make it even stronger.”

Github:
"You must choose or generate a password for your GitHub account that is:
• Eight characters long, if it includes a number and a lowercase letter, or
• 16 characters long with any combination of characters"

Facebook:
"To protect the security of the Facebook account, including any associated business Facebook pages, the password should be unique to your Facebook account and difficult to guess. Your Facebook account may include information such as your profession, favorite films and pets' names, so the password should not be based on anything that can be determined from your account. The password must be at least six characters"

https://www.ncsc.gov.uk/collection/passwords/updating-your-approach#tip5-password-collection

@PhilETaylor what is the default for 1password?

@SniperSister

I see your point. However not all users are using a password manager, so giving guidance to people entering a short and potentially unsafe password is equally important.

Exactly but the current password strength is not doing that at all. That is why I requested the use of zxcvbn library. It is also why I reported the issue to JSST but as usual no reply. ;(

@PhilETaylor what is the default for 1password?

Length 24
Digits 1
Symbols 0
Avoid ambiguity: On

or

4 words separated with a hyphen

Thanks - thought so just wanted to have it confirmed.

Exactly but the current password strength is not doing that at all. That is why I requested the use of zxcvbn library. It is also why I reported the issue to JSST but as usual no reply. ;(

I repeatedly (#15582, #20371) throughout the Joomla 4 development cycle expressed concerns (in GitHub issues that can be dug out) with the password meter and was repeatedly told that it was only a visual indication that it passed the validation rules and not that the password was actually "strong".

@PhilETaylor @brianteeman issue was discussed during today's JSST meeting and proposal for a policy is up for comment for the other team members internally. Will share the outcome on thursday!

Specifically what is "up for comment" in the JSST?

1. That a super admin on installing can use a single char as a super admin password with no restrictions or limitations on the password at all? THE REASON FOR THIS GITHUB ISSUE

To close this GitHub issue all that is needed is for the installer to implement the same defaults as Joomla will, once the install is complete, which are documented in the image

Other issues discussed but could be forked to their own issues and discussed until the cows come home:

2. The fact that a "progress meter" is used to show compliance with site's own requirements (however insecure they are) and gives a false sense of "security" that a password is "more secure" the higher up the progress bar you go?

3. Joomla's whole approach to minimum password requirements in line with government and other official sources of security recommendations? and the fact that the minimum password length is set as a default of 4 in Joomla.

4. That Joomla should encourage the use of a password manager and 2FA on all accounts the best it can, by default.

PR has been landed here: #29859

To close this GitHub issue all that is needed is for the installer to implement the same defaults as Joomla will, once the install is complete, which are documented in the image

This has been adressed in the PR mention please confirm and than close here thanks @PhilETaylor

12 chars... wow. Cant see people gonna like that ?

Also the cli now needs to implement this minimum too...

For cli see #29817