darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2026-05-04 08:01:34 -04:00
Code Issues Packages Projects Releases Wiki Activity

Reduce minimum password length to 8 characters

Browse Source 
We see over and over in research that people are tripped up by the 10
character requirement because it’s longer than they are used to. Most
sites require 6 or 8 characters for a password.

It goes against the CESG advice which is to not try increasing password
strength by increasing the burden on the user:

> Traditionally, organisations impose rules on the length and complexity
> of passwords. However, people then tend to use predictable strategies
> to generate passwords, so the security benefit is marginal while the
> user burden is high.

https://www.cesg.gov.uk/guidance/password-guidance-simplifying-your-approach

Instead we should be relying on:

- [x] two factor authentication
- [x] blacklisting common passwords
- [ ] locking out users after a number of failed logins (not sure this
  is working)
This commit is contained in:
Chris Hill-Scott
2016-09-26 09:29:50 +01:00
parent e48fcf4a77
commit 0c704c246d
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/main/forms.py
View File

@@ -72,7 +72,7 @@ def mobile_number():
def password(label='Password'):
return PasswordField(label,
validators=[DataRequired(message='Cant be empty'),
Length(10, 255, message='Must be at least 10 characters'),
Length(8, 255, message='Must be at least 8 characters'),
Blacklist(message='That password is blacklisted, too common')])