Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce a standard policy for local passwords by default #17289

Closed
jeremystretch opened this issue Aug 28, 2024 · 1 comment
Closed

Enforce a standard policy for local passwords by default #17289

jeremystretch opened this issue Aug 28, 2024 · 1 comment
Assignees
@arthanson
Labels
complexity: low Requires minimal effort to implement status: accepted This issue has been accepted for implementation type: feature Introduction of new functionality to the application
Milestone
v4.1

Comments

@jeremystretch
Copy link
Member

NetBox version

v4.0.9

Feature type

Change to existing functionality

Proposed functionality

Although NetBox supports the enforcement for configurable password policy, it does not assert any policy by default. This FR proposes defining a simple default compliance policy for local passwords. The following criteria are proposed:

  • Minimum length of 12 characters
  • At least one each of lowercase characters, uppercase characters, numeric digits, and symbols

(This new default policy can be disabled by setting AUTH_PASSWORD_VALIDATORS = [] in the NetBox configuration.)

Use case

This will provide a reasonable baseline for ensuring the use of strong local passwords.

Database changes

No response

External dependencies

No response
@jeremystretch jeremystretch added type: feature Introduction of new functionality to the application status: under review Further discussion is needed to determine this issue's scope and/or implementation complexity: low Requires minimal effort to implement labels Aug 28, 2024
@arthanson arthanson added status: accepted This issue has been accepted for implementation and removed status: under review Further discussion is needed to determine this issue's scope and/or implementation labels Aug 29, 2024
@arthanson arthanson self-assigned this Aug 29, 2024
@arthanson arthanson mentioned this issue Aug 29, 2024
Merged
@jeremystretch jeremystretch added this to the v4.1 milestone Aug 29, 2024
@RangerRick
Copy link

FYI, this is overkill for defaults, but I ended up making a custom auth plugin that implements OWASP's recommendations for a complex password, using a regex. Putting it here in case anyone comes looking for something similar. :)

from django.core.exceptions import ValidationError
from django.utils.translation import gettext as _
import re

class OWASPValidator:
  def __init__(self):
    self.owasp_regex = re.compile('^(?:(?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))(?!.*(.)\1{2,})[A-Za-z0-9!~<>,;:_=?*+#."&§%°()\|\[\]\-\$\^\@\/]{12,128}$')

  def validate(self, password, user=None):
    if not self.owasp_regex.match(password):
      raise ValidationError(
        _("Password must meet the current OWASP recommendation for complex passwords: 12 to 128 characters, requiring at least 3 out 4 of uppercase and lowercase letters, numbers and special characters, and no more than 2 equal characters in a row."),
        code="password_too_weak",
      )

  def get_help_text(self):
    return _(
      "Password must meet the current OWASP recommendation for complex passwords: 12 to 128 characters, requiring at least 3 out 4 of uppercase and lowercase letters, numbers and special characters, and no more than 2 equal characters in a row."
    )

jeremystretch added a commit that referenced this issue Sep 3, 2024
@jeremystretch
#17289: Document new default configuration
7c0bdf3
@jeremystretch jeremystretch mentioned this issue Sep 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arthanson arthanson

Labels
complexity: low Requires minimal effort to implement status: accepted This issue has been accepted for implementation type: feature Introduction of new functionality to the application
Projects
None yet
Milestone
v4.1
Development

No branches or pull requests
3 participants
@RangerRick @arthanson @jeremystretch