Password Policy
It would be nice to have a built in way to enforce a password policy.
Discussions about the use of password policies aside it would certainly help with acceptance in bigger organisations that have the requirement.
For the moment we work with a small plugin (https://github.com/visionbites/kirby-password-policy). That works. But a core way of doing that would certainly be nice.
Rough idea for a config structure:
return [
'auth' => [
'passwords' => [
'minlength' => 12,
'upperlower' => true,
'digits' => true,
'symbols' => true,
]
]
];and/or a regex like in your plugin (however with the disadvantage that the error message can always only be binary and not specific to a particular requirement):
return [
'auth' => [
'passwords' => '/^(?=.*[0-9])(?=.*[!@#$%^&*])[A-Za-z\d!@#$%^&*]{16,}$/'
]
];I think that makes it a lot easier to implement a basic version of this in any project.
With the regex option if would definitly make sense to be able to create a custom error message and also requirements text that can be displayed next to the password field.
return [
'auth' => [
'passwords' => '/^(?=.*[0-9])(?=.*[!@#$%^&*])[A-Za-z\d!@#$%^&*]{16,}$/',
'hint' => 'Your password needs to be at least X characters long and contain the word "lizard"',
'error' => 'I bet you did not put "lizard" in there'
]
];
I think to support both use cases, it would need a bit different syntax:
For a default set of rules
return [
'auth' => [
'passwords' => [
'rules' => [
'minlength' => 12,
'digits' => true,
]
]
]
];For a custom regex incl. hint
return [
'auth' => [
'passwords' => [
'rules' => '/^(?=.*[0-9])(?=.*[!@#$%^&*])[A-Za-z\d!@#$%^&*]{16,}$/',
'hint' => 'Your password needs to be at least X characters long and contain the word "lizard"',
]
]
];For a custom regex and custom error message
return [
'auth' => [
'passwords' => [
'rules' => function ($input): true {
// validate and throw exception for error
}
]
]
];