Thoughts about password policies (discussion @ #tmwdev 2008-08-21)

Configure and enforce password policies between tmwserv and tmwweb:

Both modules, tmwserv and tmwweb should use the same policies to check end enforce passwords. Therefore its just natural to have a common place to configure those policies.

Suggestion: use the tmwserv xml config file and add a section for password policies.

Here is a list of policies that shoul be supported and configurable by the server admin:

• minimum and maximum length of a password
• minimum amount of capital letters
• minimum amount of lowercase letters
• minimum amount of special characters
• list with valid chars to prevent special chars like tab or simple predefine an ascii range of allowed chars
• blacklist with passwords

I have no idea of how the plans look, how the discussions go. Though, if non-Latin scripts are/should be allowed (Unicode), a thought need to be given about that it is fairly uncommon in the scripts of this world to make a difference between capital and lowercase letters. Perhaps combine the two letter rules in one, and if more are needed, instead add a rule of minimum amount of digits (which again may or may not be different for various scripts/languages). Also, if non-Latin Unicode is supported what you mean with the length of the password needs to be defined, as various characters may need different amounts of bytes to be represented... --kess 19:47, 21 August 2008 (CEST)

The client does not send the passwords in plaintext but as a SHA hash. Thus the server can not determine if the cleartext password meets any of those requirements. --Crush

tmwserv indeed can't enforce any length or certain kind of characters because all it knows (and should know) is the password hash. Of course we should not allow the hash of the empty password to slip through, nor passwords that are the same as the username, which is easy to check against, but that's about as far as it goes there (though we can extend this concept to a blacklist, but I don't see that as very useful). --Bjørn 21:17, 21 August 2008 (CEST)

Since you can't sign up using tmwweb, the web frontend does not need to do any checks on the password except for maybe a length check, which should be in sync with the client. If the length of the password entered is too short, the user may have modified his client to allow it to send a shorter password. That's why we'll just kindly suggest to the user to change the password to be long enough using the client. --Bjørn 21:17, 21 August 2008 (CEST)