Closed (fixed)
Project:
Password Policy
Version:
7.x-2.x-dev
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
26 Sep 2011 at 13:51 UTC
Updated:
26 Jul 2014 at 20:30 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
erikwebb commentedA decent password policy should inherently prevent these types of weak passwords. If a basic policy of numbers and letters is enabled, you could allow bad passwords like "abc123", but this seems like a feature just filling in the gap for already too lenient policies.
Comment #2
jpklein commentedWhile I realize that this issue is officially marked as won't fix, I had a requirement to prohibit users from including the sitemname in their passwords, and figured this was a good place to put the patch.
Applying the patch to version 7.x-1.2 adds a simple "word list" constraint to the policy-edit form, allowing you to add a comma-separated list of strings that can not appear in users' passwords.
Note that this is not designed to handle long lists of words or protect against dictionary attacks; see #1780802: Implement a dictionary-based password constraint for development on that front.
Comment #3
erikwebb commentedThis should also be solved by the pluggable constraints model for 7.x-2.x. I actually think this would be a great plugin to include, if for no other reason than to write content-based automated tests.
Comment #4
erikwebb commentedComment #5
aohrvetpv commentedWas implemented in #2134997: Create password blacklist.