mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-09 19:06:13 +03:00
Local Authentication provider password entropy calculation #3803
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @kaylahynes on GitHub (May 13, 2023).
Describe the feature you'd like
Hey Developers!
I'm requesting that you add an account password entropy calculator to the user password creation API, with a UI element in the user administration page to show the current password complexity of user accounts currently registered to the service.
I'm requesting this because I would like to reduce the possibility of a data breach due to accounts that have low-complexity passwords. Right now, there is no function to provide insight into how complex passwords are, and rather than having to specify that users use a complex password, I'd like to enforce it functionally. On top of this, it would be useful to be able to force a certain password complexity either for all users, or based on what permissions group a user is assigned to.
I'd try and develop this myself, but I am not familiar enough with the codebase and don't trust my current skillset to contribute to a feature as critical as authentication.
Thanks for the wonderful application,
Max
Describe the benefits this would bring to existing BookStack users
This feature would allow users to increase the overall security posture of their application, which should hopefully reduce the likelihood of a data breach potentially disclosing critical or privileged business or project information.
Can the goal of this request already be achieved via other means?
Not that I am unaware of, as it requires modification to the client-side JS to compute the password entropy before the data is hashed and sent.
Have you searched for an existing open/closed issue?
How long have you been using BookStack?
1 to 5 years
Additional context
No response
@ssddanbrown commented on GitHub (May 14, 2023):
Thanks for the request @meepmeep22.
If this was added, we'd ideally do this server-side, since there are non-UI ways to create user accounts.
Ultimately though I'm not too sure on the value of an indicator, if a more complex password is desired then being required during entry would be a more direct approach; rather than an indication that then requires further external communication and effort. Configurable password policy has been requested in #1856.
Also have to consider, this would not serve all bookstack use-cases, since other auth options are available, so UI controls would have to be optional.
I wouldn't want to go down the per-role route as it complicates things up a bit in terms of management and UX.
We already have forced-MFA as a per-role option and I think that already adds a more significant functional security layer where specific roles need to be extra protected.