1.13.0, 2.0.0, 2017.12
Forcing or recommending a certain level of entropy in passwords can reduce (debatable) your attack surface, and is a requirement of CWE-521: http://cwe.mitre.org/data/definitions/521.html
Minimum and maximum length (supported in eZ Platform now (maximum is implicit, 72 bytes))
Require mixed character sets (alpha,numeric, special, mixed case) (supported in eZ Platform now)
3) Do not contain user name - can be done in PasswordValidator, which has the User context https://github.com/ibexa/core/blob/ba83ed0e71b2583dda768ae45212070ef8273004/src/lib/Repository/User/PasswordValidator.php
Expiration (supported in eZ Platform now)
No password reuse (supported in Ibexa DXP now, when password expiry is used)
These are easy to do logic-wise. Avoiding dictionary based passwords like "secret" is a little harder to do well, but such simple passwords are anyway mitigated by the above 5 rules, and dictionary words have the advantage that they are easier to remember (when not using password keepers).
Suggestion: Add a password quality checker for eZ Platform, with configurable criteria, which informs the user of the quality level of their password, and/or refuses to accept passwords below a set threshold. (Note: Configurable criteria are implemented now)
This can also run during login, so that passwords created before the checker was put in place will also be checked. Optionally it can enforce that bad passwords be changed immediately.
Have I been pwned?
Implement the https://haveibeenpwned.com/ API, to verify that passwords do not exist in known password dumps from security breaches. This can be done easily with Symfony's NotCompromisedPassword constraint. See https://issues.ibexa.co/browse/IBX-5361
- relates to
IBX-5361 Use NotCompromisedPassword constraint