You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is not compatible with modern NIST guidelines. Appendix A1 contains a good explanation in that link as well.
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.
Using complexity requirements (that is, where staff can only use passwords that are suitably complex) is a poor defence against guessing attacks. It places an extra burden on users, many of whom will use predictable patterns (such as replacing the letter ‘o’ with a zero) to meet the required 'complexity' criteria. […] For the above reasons, the NCSC do not recommend the use of complexity requirements when implementing user generated passwords.
Thanks a lot for reporting the issue. We did not consider the issue as "Pimcore:Priority", "Pimcore:ToDo" or "Pimcore:Backlog", so we're not going to work on that anytime soon. Please create a pull request to fix the issue if this is a bug report. We'll then review it as quickly as possible. If you're interested in contributing a feature, please contact us first here before creating a pull request. We'll then decide whether we'd accept it or not. Thanks for your understanding.
Improvement description
The german administration for security in information technology (BSI) recommend a higher password policy than pimcore have at the moment.
BSI recommendations:
Short and more complex Passwords:
Longer and less complex Passwords:
BSI INFO PDF
Should we implement this in Pimcore?
The text was updated successfully, but these errors were encountered: