starred/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2026-02-24 19:08:59 +03:00
Code Issues 396 Packages Projects Releases 16 Wiki Activity

Drop requirement for specific characters in passwords #227

New Issue
Closed
opened 2026-02-04 17:57:46 +03:00 by OVERLORD · 1 comment
OVERLORD commented 2026-02-04 17:57:46 +03:00
Owner
Copy Link

Originally created by @justinmayer on GitHub (Sep 2, 2022).

Recent changes to Planka now require a letter and a number when setting a password. While well-intentioned, this is not a recommended practice when enforcing password strength. Instead, the focus should be on overall entropy.

Per NIST guidelines, requiring specific character types in a password is not recommended (emphasis mine):

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

The present requirement actually lowers the entropy of resulting passwords by effectively making them shorter. It is harder to remember a short p@ssw0rd-style password than longer passphrases that may not contain any numbers, and long passphrases have significantly higher entropy and are thus far more secure.

Originally created by @justinmayer on GitHub (Sep 2, 2022). Recent changes to Planka now require a letter and a number when setting a password. While well-intentioned, this is not a recommended practice when enforcing password strength. Instead, the focus should be on overall entropy. Per [NIST guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html), requiring specific character types in a password is not recommended (emphasis mine): > **Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.** Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. The present requirement actually lowers the entropy of resulting passwords by effectively making them shorter. It is harder to remember a short `p@ssw0rd`-style password than longer passphrases that may not contain any numbers, and long passphrases have *significantly* higher entropy and are thus far more secure.
OVERLORD added the enhancement label 2026-02-04 17:57:46 +03:00
OVERLORD commented 2026-02-04 17:57:50 +03:00
Author
Owner
Copy Link

@meltyshev commented on GitHub (Sep 2, 2022):

I completely agree with you. I plan to add a password strength bar based on https://github.com/dropbox/zxcvbn. It was just the first idea to fix the ability to have a 1 character password.

Or if anyone has other suggestions, we can discuss here.

@meltyshev commented on GitHub (Sep 2, 2022): I completely agree with you. I plan to add a password strength bar based on https://github.com/dropbox/zxcvbn. It was just the first idea to fix the ability to have a 1 character password. Or if anyone has other suggestions, we can discuss here.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
bug
documentation
documentation
duplicate
enhancement
good first issue
help wanted
pull-request
Mirrored from GitHub Pull Request
 question
wontfix
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/planka#227
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?