Configurable Password Policy #1505

New Issue

OVERLORD · 2026-02-05T01:05:31+03:00

OVERLORD commented

2026-02-05 01:05:31 +03:00

Originally created by @Cave-Johnson on GitHub (Jan 23, 2020).

Describe the feature you'd like
I would like the ability for an administrator to be able to configure a minimum requirement for a password policy.

Describe the benefits this feature would bring to BookStack users
This would allow for admins to increase the minimum password complexity for users accounts increasing the overall security of the bookstack instance.
Currently it is possible for a user to set a password of "aaaaaa"

Additional context
With the nature of a wiki, some sensitive information can be stored within bookstack. It would be good to minimise the chance sensitive information is accidentally exposed by a weak password.

A simple implementation of this would be to have the following check boxes in the admin settings page

A box to set a custom minimum password length

Check boxes to enable the following
[-] Require Digits
[-] Require Uppercase and Lowercase Characters
[-] Require special characters
[-] Disable repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)

An added bonus would be the option to integrate haveibeenpwned API to disallow the use of known compromised passwords (or as i realise the v3 api requires a paid for API key, provide the location of a local copy of the data file they provide for free)
https://haveibeenpwned.com/API/v3

This is obviously a hotly debated topic, however a summary of the new NIST guidelines can be found here which sum it up https://spycloud.com/new-nist-guidelines/

This would also go quite nicely with https://github.com/BookStackApp/BookStack/issues/1118

Originally created by @Cave-Johnson on GitHub (Jan 23, 2020). **Describe the feature you'd like** I would like the ability for an administrator to be able to configure a minimum requirement for a password policy. **Describe the benefits this feature would bring to BookStack users** This would allow for admins to increase the minimum password complexity for users accounts increasing the overall security of the bookstack instance. Currently it is possible for a user to set a password of "aaaaaa" **Additional context** With the nature of a wiki, some sensitive information can be stored within bookstack. It would be good to minimise the chance sensitive information is accidentally exposed by a weak password. A simple implementation of this would be to have the following check boxes in the admin settings page - A box to set a custom minimum password length Check boxes to enable the following [-] Require Digits [-] Require Uppercase and Lowercase Characters [-] Require special characters [-] Disable repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) An added bonus would be the option to integrate haveibeenpwned API to disallow the use of known compromised passwords (or as i realise the v3 api requires a paid for API key, provide the location of a local copy of the data file they provide for free) https://haveibeenpwned.com/API/v3 This is obviously a hotly debated topic, however a summary of the new NIST guidelines can be found here which sum it up https://spycloud.com/new-nist-guidelines/ This would also go quite nicely with https://github.com/BookStackApp/BookStack/issues/1118

OVERLORD commented

2026-02-05 01:05:37 +03:00

@makrele568 commented on GitHub (Jul 14, 2022):

+1 Is there a way to change the password length from 8 to 6 characters?

@makrele568 commented on GitHub (Jul 14, 2022): **+1** Is there a way to change the password length from 8 to 6 characters?

OVERLORD commented

2026-02-05 01:05:42 +03:00

@HungryHowies commented on GitHub (Mar 16, 2023):

+1

@HungryHowies commented on GitHub (Mar 16, 2023): +1

OVERLORD commented

2026-02-05 01:05:44 +03:00

@melat0nin commented on GitHub (Feb 19, 2024):

I think this is absolutely necessary, especially for instances used by non-technical folk who might not understand the importance of strong passwords, and might not understand/be willing to use MFA.

Personally I don't think a GUI is necessary, since those setting the policy are likely the same people setting up BookStack and therefore will likely be familiar with modifying the .env file.

Since these requirements are built into Laravel it seems like a no-brainer to implement them in BookStack.

@melat0nin commented on GitHub (Feb 19, 2024): I think this is absolutely necessary, especially for instances used by non-technical folk who might not understand the importance of strong passwords, and might not understand/be willing to use MFA. Personally I don't think a GUI is necessary, since those setting the policy are likely the same people setting up BookStack and therefore will likely be familiar with modifying the `.env` file. Since these requirements are built into Laravel it seems like a no-brainer to implement them in BookStack.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1505