Add an env var for minimal length of vaultwarden vault passwords #365

New Issue

Closed

opened 2025-10-09 16:25:22 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2025-10-09 16:25:22 +03:00

Owner

Copy Link

Originally created by @guerby on GitHub.

Vaultwarden Support String

N/A

Vaultwarden Build Version

1.32.0

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

N/A

Host/Server Operating System

Linux

Operating System Version

No response

Clients

Web Vault, Browser Extension, CLI, Desktop, Android, iOS

Client Version

No response

Steps To Reproduce

When creating a vault there is no way to force a minimun length for passwords

Expected Result

An environment variable where I can say that password for a vault must be at least 12 characters.
0 or not specified for the same behaviour as current.

Actual Result

Refuse password of length less than specified

Logs

No response

Screenshots or Videos

No response

Additional Context

NIST has recently updated guidelines with only the length left as constraint, see below for more

Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.

Before the change : https://pages.nist.gov/800-63-3/sp800-63b.html

"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. "

After the change: https://pages.nist.gov/800-63-4/sp800-63b.html

"Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords."

So advice to requirement for this part, which is great!

Originally created by @guerby on GitHub. ### Vaultwarden Support String N/A ### Vaultwarden Build Version 1.32.0 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy N/A ### Host/Server Operating System Linux ### Operating System Version _No response_ ### Clients Web Vault, Browser Extension, CLI, Desktop, Android, iOS ### Client Version _No response_ ### Steps To Reproduce When creating a vault there is no way to force a minimun length for passwords ### Expected Result An environment variable where I can say that password for a vault must be at least 12 characters. 0 or not specified for the same behaviour as current. ### Actual Result Refuse password of length less than specified ### Logs _No response_ ### Screenshots or Videos _No response_ ### Additional Context NIST has recently updated guidelines with only the length left as constraint, see below for more Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length. Before the change : https://pages.nist.gov/800-63-3/sp800-63b.html "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. " After the change: https://pages.nist.gov/800-63-4/sp800-63b.html "Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords." So advice to requirement for this part, which is great!

OVERLORD added the bug label 2025-10-09 16:25:22 +03:00

OVERLORD closed this issue 2025-10-09 16:25:23 +03:00

OVERLORD commented 2025-10-09 16:25:25 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

This is not something we can control at runtime. The defaults are backed in into the web-vault. And we do not want to divert too much from the Bitwarden defaults.

@BlackDex commented on GitHub: This is not something we can control at runtime. The defaults are backed in into the web-vault. And we do not want to divert too much from the Bitwarden defaults.

OVERLORD referenced this issue 2025-10-09 18:29:13 +03:00

[PR #365] [MERGED] Fix the list of users with access to a collection to display correctly. #3743

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#365