Skip to content

Commit 785b11c

Browse files
🤖 backported "Added new strong-enough password type" (metabase#75243)
Added new `strong-enough` password type (metabase#75104) * Added new `strong-enough` password type * Revert password policy to default normal * Numbers only test added * Misc Co-authored-by: Benoit Vinay <ben@benoitvinay.com>
1 parent bf16b36 commit 785b11c

5 files changed

Lines changed: 34 additions & 10 deletions

File tree

docs/configuring-metabase/environment-variables.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2763,14 +2763,15 @@ Comma-separated namespaces to trace. **WARNING:** Could log sensitive informatio
27632763

27642764
### `MB_PASSWORD_COMPLEXITY`
27652765

2766-
Type: string (`"weak"`, `"normal"`, `"strong"`)<br>
2766+
Type: string (`"weak"`, `"normal"`, `"strong"`, `"strong-enough"`)<br>
27672767
Default: `"normal"`
27682768

27692769
Enforce a password complexity rule to increase security for regular logins. This only applies to new users or users that are changing their password. Related [MB_PASSWORD_LENGTH](#mb_password_length)
27702770

27712771
- `weak` no character constraints
27722772
- `normal` at least 1 digit
27732773
- `strong` minimum 8 characters w/ 2 lowercase, 2 uppercase, 1 digit, and 1 special character
2774+
- `strong-enough` minimum 15 characters
27742775

27752776
### `MB_PASSWORD_LENGTH`
27762777

docs/people-and-groups/changing-password-complexity.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ The settings above can be used independently, so it's fine to use only one or th
2020
- `weak` = no character constraints
2121
- `normal` = at least 1 digit
2222
- `strong` = minimum 8 characters w/ 2 lowercase, 2 uppercase, 1 digit, and 1 special character
23+
- `strong-enough` = minimum 15 characters
2324

2425
By default, Metabase also prevents users from setting passwords that are in a list of common passwords (like `qwerty123` and
2526
`passw0rd`). Changing the complexity requirement to `weak` disables this behavior.

src/metabase/cmd/resources/other-env-vars.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -452,14 +452,15 @@ Comma-separated namespaces to trace. **WARNING:** Could log sensitive informatio
452452

453453
### `MB_PASSWORD_COMPLEXITY`
454454

455-
Type: string (`"weak"`, `"normal"`, `"strong"`)<br>
455+
Type: string (`"weak"`, `"normal"`, `"strong"`, `"strong-enough"`)<br>
456456
Default: `"normal"`
457457

458458
Enforce a password complexity rule to increase security for regular logins. This only applies to new users or users that are changing their password. Related [MB_PASSWORD_LENGTH](#mb_password_length)
459459

460460
- `weak` no character constraints
461461
- `normal` at least 1 digit
462462
- `strong` minimum 8 characters w/ 2 lowercase, 2 uppercase, 1 digit, and 1 special character
463+
- `strong-enough` minimum 15 characters
463464

464465
### `MB_PASSWORD_LENGTH`
465466

src/metabase/util/password.clj

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -27,14 +27,15 @@
2727

2828
(def ^:private ^:const complexity->char-type->min
2929
"Minimum counts of each class of character a password should have for a given password complexity level."
30-
{:weak {:total 6} ; total here effectively means the same thing as a minimum password length
31-
:normal {:total 6
32-
:digit 1}
33-
:strong {:total 8
34-
:lower 2
35-
:upper 2
36-
:digit 1
37-
:special 1}})
30+
{:weak {:total 6} ; total here effectively means the same thing as a minimum password length
31+
:normal {:total 6
32+
:digit 1}
33+
:strong {:total 8
34+
:lower 2
35+
:upper 2
36+
:digit 1
37+
:special 1}
38+
:strong-enough {:total 15}})
3839

3940
(defn- password-has-char-counts?
4041
"Check that PASSWORD satisfies the minimum count requirements for each character class.

test/metabase/util/password_test.clj

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
(ns metabase.util.password-test
22
(:require
33
[clojure.test :refer :all]
4+
[environ.core :as env]
5+
[metabase.config.core :as config]
46
[metabase.test :as mt]
57
[metabase.test.fixtures :as fixtures]
68
[metabase.util.password :as u.password]))
@@ -69,6 +71,11 @@
6971
(is (= expected
7072
(u.password/is-valid? input)))))))
7173

74+
(deftest default-password-complexity-config-test
75+
(testing "When MB_PASSWORD_COMPLEXITY is unset, default is :normal"
76+
(with-redefs [env/env (dissoc env/env :mb-password-complexity)]
77+
(is (= :normal (config/config-kw :mb-password-complexity))))))
78+
7279
(deftest is-valid?-weak-test
7380
(testing "Do some tests with password complexity requirements set to :weak.
7481
Common password list should not be checked."
@@ -81,6 +88,19 @@
8188
(is (= expected
8289
(u.password/is-valid? input))))))))
8390

91+
(deftest is-valid?-strong-enough-test
92+
(testing "Do some tests with password complexity requirements set to :strong-enough."
93+
(mt/with-temp-env-var-value! [:mb-password-complexity "strong-enough"]
94+
(doseq [[input expected] {"ABC" false
95+
"ABCDEFGHIJKLM" false
96+
"abcdefghijklmno" true
97+
"123456789012345" true
98+
"unc0mmonpw12345" true
99+
"123456789987654321" false}]
100+
(testing (pr-str (list 'is-valid? input))
101+
(is (= expected
102+
(u.password/is-valid? input))))))))
103+
84104
(deftest passsword-length-test
85105
(testing "Password length can be set by the env variable MB_PASSWORD_LENGTH"
86106
(mt/with-temp-env-var-value! [:mb-password-length 3

0 commit comments

Comments
 (0)