[GH-ISSUE #93] Create a password restrictions module set #73

New issue

Open

opened 2026-02-25 21:34:03 +03:00 by kerem · 16 comments

kerem commented 2026-02-25 21:34:03 +03:00

Owner

Copy link

Originally created by @jasonmunro on GitHub (Jun 28, 2016).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/93

Originally assigned to: @Danelif on GitHub.

Some random thoughts of features worth supporting. This module set will only apply for sites using the built in user authentication and not pass-through to a mail service.

• passphrase
  • examples
  • min length 50
  • min words 3
  • min caps 1
  • min puncuation 1
  • 2000 char max
• standard min password requirements (nist)
  • min length 10
  • min caps 1
  • min symbols 1
• password expiration
  • forced reset password on expiration
  • saved password history

Originally created by @jasonmunro on GitHub (Jun 28, 2016). Original GitHub issue: https://github.com/cypht-org/cypht/issues/93 Originally assigned to: @Danelif on GitHub. Some random thoughts of features worth supporting. This module set will only apply for sites using the built in user authentication and not pass-through to a mail service. - passphrase - examples - min length 50 - min words 3 - min caps 1 - min puncuation 1 - 2000 char max - standard min password requirements (nist) - min length 10 - min caps 1 - min symbols 1 - password expiration - forced reset password on expiration - saved password history

kerem added the

enhancement

new module set

Security

labels 2026-02-25 21:34:03 +03:00

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@dumblob commented on GitHub (Jun 28, 2016):

Good idea.

I must though disagree on several points from the proposal (yes, even NIST has it wrong :(). E.g. min caps 1 min puncuation 1 min symbols 1 are not useful (why is it so is explained under the linked sources on the zxcvbn gihub page I'm referring to below - e.g. remembering and writing symbols and lowercase/UPPERCASE is harder then having the password by 1 or 2 characters longer to achieve way higher security, because people then don't write down their passwords on papers glued to their LCDs, but rather remember them).

For a good strength estimator please see https://github.com/aybabtme/zxcvbn and the literature and explanations linked from that page.

The rest of the proposal (including expiration) is a decent one, thanks!

<!-- gh-comment-id:229198632 --> @dumblob commented on GitHub (Jun 28, 2016): Good idea. I must though disagree on several points from the proposal (yes, even NIST has it wrong :(). E.g. `min caps 1` `min puncuation 1` `min symbols 1` are not useful (why is it so is explained under the linked sources on the zxcvbn gihub page I'm referring to below - e.g. remembering and writing symbols and lowercase/UPPERCASE is harder then having the password by 1 or 2 characters longer to achieve way higher security, because people then don't write down their passwords on papers glued to their LCDs, but rather remember them). For a good strength estimator please see https://github.com/aybabtme/zxcvbn and the literature and explanations linked from that page. The rest of the proposal (including expiration) is a decent one, thanks!

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@jasonmunro commented on GitHub (Jun 28, 2016):

Thanks for the feedback. It's all about entropy here. Unencumbered by facts, I'm not surprised having a larger overall minimum might outweigh forcing a larger character set. Honestly I like the pass-phrase approach the best. Max entropy, and a phrase that doesn't require a post-it :) Regardless, I plan on making each of these a knob a site can tune to whatever they want.

<!-- gh-comment-id:229201692 --> @jasonmunro commented on GitHub (Jun 28, 2016): Thanks for the feedback. It's all about entropy here. Unencumbered by facts, I'm not surprised having a larger overall minimum might outweigh forcing a larger character set. Honestly I like the pass-phrase approach the best. Max entropy, and a phrase that doesn't require a post-it :) Regardless, I plan on making each of these a knob a site can tune to whatever they want.

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@dumblob commented on GitHub (Jun 29, 2016):

Regardless, I plan on making each of these a knob a site can tune to whatever they want.

If it's not much more work, then it's undoubtedly the best solution.

<!-- gh-comment-id:229268212 --> @dumblob commented on GitHub (Jun 29, 2016): > Regardless, I plan on making each of these a knob a site can tune to whatever they want. If it's not much more work, then it's undoubtedly the best solution.

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@marclaporte commented on GitHub (May 7, 2024):

@Danelif please advise.

<!-- gh-comment-id:2097138718 --> @marclaporte commented on GitHub (May 7, 2024): @Danelif please advise.

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@marclaporte commented on GitHub (May 7, 2024):

If we do this, we should re-use an existing lib.

<!-- gh-comment-id:2097144571 --> @marclaporte commented on GitHub (May 7, 2024): If we do this, we should re-use an existing lib.

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@Danelif commented on GitHub (May 7, 2024):

We might consider using the PasswordPolicy library. This library allows to define password policies (e.g. minimum length, required character types) and then hash and verify passwords against those policies. More information on this library https://github.com/web-token/jwt-password-policy

<!-- gh-comment-id:2097614128 --> @Danelif commented on GitHub (May 7, 2024): We might consider using the PasswordPolicy library. This library allows to define password policies (e.g. minimum length, required character types) and then hash and verify passwords against those policies. More information on this library https://github.com/web-token/jwt-password-policy

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@marclaporte commented on GitHub (May 7, 2024):

https://github.com/web-token/jwt-password-policy gives me "page not found"

<!-- gh-comment-id:2098993368 --> @marclaporte commented on GitHub (May 7, 2024): https://github.com/web-token/jwt-password-policy gives me "page not found"

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@Danelif commented on GitHub (May 7, 2024):

https://github.com/ircmaxell/password-policy

<!-- gh-comment-id:2099002330 --> @Danelif commented on GitHub (May 7, 2024): https://github.com/ircmaxell/password-policy

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@marclaporte commented on GitHub (May 7, 2024):

https://github.com/ircmaxell/password-policy

Last commit 8 years ago

<!-- gh-comment-id:2099019312 --> @marclaporte commented on GitHub (May 7, 2024): > https://github.com/ircmaxell/password-policy Last commit 8 years ago

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@IrAlfred commented on GitHub (Sep 26, 2025):

Hello @Danelif
Any update here ?

<!-- gh-comment-id:3339547360 --> @IrAlfred commented on GitHub (Sep 26, 2025): Hello @Danelif Any update here ?

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@Danelif commented on GitHub (Sep 26, 2025):

@marclaporte @IrAlfred what about this https://github.com/bjeavons/zxcvbn-php

Last commit is 7months old

If agreed, we can start its integration

<!-- gh-comment-id:3339696336 --> @Danelif commented on GitHub (Sep 26, 2025): @marclaporte @IrAlfred what about this https://github.com/bjeavons/zxcvbn-php Last commit is 7months old If agreed, we can start its integration

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@IrAlfred commented on GitHub (Sep 26, 2025):

@Danelif This is a good start.

To ensure we select the most effective solution, I recommend conducting a comparative analysis of available password validation libraries. This would involve evaluating key criteria such as security features, customization options, performance, and maintenance status to identify the optimal package for Cypht's specific requirements.

You can do this on a wiki page

<!-- gh-comment-id:3339861551 --> @IrAlfred commented on GitHub (Sep 26, 2025): @Danelif This is a good start. To ensure we select the most effective solution, I recommend conducting a comparative analysis of available password validation libraries. This would involve evaluating key criteria such as security features, customization options, performance, and maintenance status to identify the optimal package for Cypht's specific requirements. You can do this on a wiki page

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@Danelif commented on GitHub (Sep 26, 2025):

@IrAlfred Got it
I put this on my TODOs

<!-- gh-comment-id:3339930902 --> @Danelif commented on GitHub (Sep 26, 2025): @IrAlfred Got it I put this on my TODOs

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@marclaporte commented on GitHub (Sep 26, 2025):

Was done here: https://dev.tiki.org/Password-Strength-Implementation-Review

We should use the same for Cypht and Tiki

Tracked internally on https://avan.tech/item112169

<!-- gh-comment-id:3339948019 --> @marclaporte commented on GitHub (Sep 26, 2025): Was done here: https://dev.tiki.org/Password-Strength-Implementation-Review We should use the same for Cypht and Tiki Tracked internally on https://avan.tech/item112169

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@Danelif commented on GitHub (Sep 26, 2025):

Thank you @marclaporte
I will review and start implementation on Cypht and later in Tiki

<!-- gh-comment-id:3340026558 --> @Danelif commented on GitHub (Sep 26, 2025): Thank you @marclaporte I will review and start implementation on Cypht and later in Tiki

kerem commented 2026-02-25 21:34:03 +03:00

Author

Owner

Copy link

@marclaporte commented on GitHub (Sep 27, 2025):

As discussed: let's put this on pause. Let's do in Tiki first.

<!-- gh-comment-id:3341037521 --> @marclaporte commented on GitHub (Sep 27, 2025): As discussed: let's put this on pause. Let's do in Tiki first.

kerem referenced this issue 2026-02-25 21:36:08 +03:00

[PR #73] [MERGED] Update de.php #755

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

2.x

mta-sts-implementation

feat-compose-backspace-delete-recipients

release-2.5.1

add-tls3-support

1.4.x

enforce-coverage

release-2.4.2

strip_dns_prefetch_tags

fix_nightly_build

pr-title-validation-update

review-sent-email

revert-1339-fixed-tags-display

revert-1061-rem-cram-md5

sys-messages-revamp

revert-685-fixed-str-pos-warning-when-no-to

revert-590-empty-settings

release-1.3.0

revert-471-draft-add-warning

revert-454-feature/server-list-by-uniqid

php7.4-support

release-1.2.0

remove-mobile-media-queries

release-1.1.0

release-1.0.0

v2.7.0

v2.6.0

v2.5.1

v2.5.0

v1.4.7

v2.4.2

v2.4.1

v1.4.6

v1.4.5

v2.4.0

v2.3.0

v2.2.0

v1.4.4

v2.1.0

v2.0.1

v1.4.3

v2.0.0

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.3.0-rc3

v1.3.0-rc2

v1.3.0-rc1

v1.1.0

v1.1.0-rc4

v1.1.0-rc3

v1.1.0-rc2

v1.1.0-rc1

v1.0.0

v1.0.0-rc8

v1.0.0-rc7

v1.0.0-rc6

v1.0.0-rc5

v1.0.0-rc4

v1.0.0-rc3

v1.0.0-rc2

v1.0.0-rc1

Labels

Clear labels   

2fa

  

I18N

  

PGP

  

Security

  

Security

  

account

  

advanced_search

  

advanced_search

  

announcement

  

api_login

  

authentication

  

awaiting feedback

  

blocker

  

bug

  

bug

  

bug

  

calendar

  

config

  

contacts

  

core

  

core

  

devops

  

docker

  

docs

  

duplicate

  

dynamic_login

  

enhancement

  

epic

  

feature

  

feeds

  

framework

  

github

  

github

  

gmail_contacts

  

good first issue

  

help wanted

  

history

  

history

  

imap

  

imap_folders

  

inline_message

  

installation

  

keyboard_shortcuts

  

keyboard_shortcuts

  

ldap_contacts

  

mobile

  

need-ssh-access

  

new module set

  

nux

  

pop3

  

profiles

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

refactor

  

release

  

research

  

saved_searches

  

smtp

  

strategic

  

tags

  

tests

  

themes

  

website

  

wordpress

No labels

2fa

I18N

PGP

Security

Security

account

advanced_search

advanced_search

announcement

api_login

authentication

awaiting feedback

blocker

bug

bug

bug

calendar

config

contacts

core

core

devops

docker

docs

duplicate

dynamic_login

enhancement

epic

feature

feeds

framework

github

github

gmail_contacts

good first issue

help wanted

history

history

imap

imap_folders

inline_message

installation

keyboard_shortcuts

keyboard_shortcuts

ldap_contacts

mobile

need-ssh-access

new module set

nux

pop3

profiles

pull-request

question

refactor

release

research

saved_searches

smtp

strategic

tags

tests

themes

website

wordpress

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/cypht#73

No description provided.