Do not require unique characters in "Password character type" constraint

Created on 17 September 2021, over 3 years ago
Updated 8 April 2024, 9 months ago

Problem/Motivation

The PasswordConstraint password_policy_character_constraint requires unique characters of each type. That is, if for example the module is configured to require passwords to include two numbers, a password which includes two incidences of the same number will fail validation. This runs counter to common user experience and actually decreases password security; if a malevolent user knows that a password contains any one character, they know that that character is not repeated anywhere in the password, making the password easier to crack.

Steps to reproduce

Enable this module, set a constraint requiring that passwords include two numbers, log in as a user to which this constraint applies and try to set the a new password that includes two of the same numbers. (This problem is not limited to numbers; the same is true for letters, upper case letters, lower case letters and special characters.)

Proposed resolution

Alter the logic in PasswordCharacter::validate() to add the number of incidences of each character instead of increasing counters by one.
For example, change:

  if (is_numeric($char)) {
    $count_numeric++;
  }

to:

  if (is_numeric($char)) {
    $count_numeric = $count_numeric + $val;  // Here, $val is the the number of incidences of the $char in the password.
  }

Remaining tasks

Community discussion is appropriate as to whether we should adapt the module's admin language (see related issue Instructions unclear for constraint of Uppercase and Lowercase Characters β†’ ) to align with the module's requirement that characters used be unique or should we remove that requirement.

Patch forthcoming.

✨ Feature request
Status

Fixed

Version

4.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States COBadger

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024