[GH-ISSUE #1374] Additional Valid Passwort Scheme

kerem commented

2026-02-26 18:46:48 +03:00

Owner

Originally created by @ElTimuro on GitHub (Oct 1, 2024).
Original GitHub issue: https://github.com/documenso/documenso/issues/1374

Originally assigned to: @Dun-sin on GitHub.

Describe the improvement you are suggesting in detail

Currently Documenso forces "classical" password complexity criteria like Capital Case, Special Char and Number
As nicely described in Randall Munroe's comic, a long password is just as secure and easier to manage
The current format can be kept
I suggest the addition of allowing 25+ character length password with any other Criteria
e.g. "Password1!" would work but "passwordisnotasecurepasssword" would as well

Additional Information & Alternatives (optional)

Do you want to work on this improvement?

No

Please check the boxes that apply to this improvement suggestion.

I have searched the existing issues and improvement suggestions to avoid duplication.
I have provided a clear description of the improvement being suggested.
I have explained the rationale behind this improvement.
I have included any relevant technical details or design suggestions.
I understand that this is a suggestion and that there is no guarantee of implementation.

Originally created by @ElTimuro on GitHub (Oct 1, 2024). Original GitHub issue: https://github.com/documenso/documenso/issues/1374 Originally assigned to: @Dun-sin on GitHub. ### Describe the improvement you are suggesting in detail - Currently Documenso forces "classical" password complexity criteria like Capital Case, Special Char and Number - As nicely described in Randall Munroe's comic, a long password is just as secure and easier to manage - The current format can be kept - I suggest the addition of allowing 25+ character length password with any other Criteria - e.g. "Password1!" would work but "passwordisnotasecurepasssword" would as well ### Additional Information & Alternatives (optional) ![image](https://github.com/user-attachments/assets/f67d1882-9913-4129-b954-cef20c053d73) ### Do you want to work on this improvement? No ### Please check the boxes that apply to this improvement suggestion. - [X] I have searched the existing issues and improvement suggestions to avoid duplication. - [X] I have provided a clear description of the improvement being suggested. - [X] I have explained the rationale behind this improvement. - [X] I have included any relevant technical details or design suggestions. - [X] I understand that this is a suggestion and that there is no guarantee of implementation.

kerem

2026-02-26 18:46:48 +03:00

closed this issue
added the
status: assigned

apps: web

priority: low

effort: low
labels

kerem commented

2026-02-26 18:46:48 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Oct 1, 2024):

Thank you for opening your first issue and for being a part of the open signing revolution!

One of our team members will review it and get back to you as soon as it possible 💚

Meanwhile, please feel free to hop into our community in Discord

@github-actions[bot] commented on GitHub (Oct 1, 2024): Thank you for opening your first issue and for being a part of the open signing revolution! <br /> One of our team members will review it and get back to you as soon as it possible 💚 <br /> Meanwhile, please feel free to hop into our community in [Discord](https://documen.so/discord)

kerem commented

2026-02-26 18:46:48 +03:00

Author

Owner

@dguyen commented on GitHub (Oct 28, 2024):

@ElTimuro are you saying that passwords is above 25 characters should be allowed to be created without any additional criteria?

Or did you want just allow all new passwords to be created without any criteria besides length?

@dguyen commented on GitHub (Oct 28, 2024): @ElTimuro are you saying that passwords is above 25 characters should be allowed to be created without any additional criteria? Or did you want just allow all new passwords to be created without any criteria besides length?

kerem commented

2026-02-26 18:46:48 +03:00

Author

Owner

@Dun-sin commented on GitHub (Oct 29, 2024):

@dguyen can i take this if you accept the issue? Also I think @ElTimuro is saying every other password rule should stay, and we should also extend the length of how many characters a password should be, so 25 should be the new limit

@Dun-sin commented on GitHub (Oct 29, 2024): @dguyen can i take this if you accept the issue? Also I think @ElTimuro is saying every other password rule should stay, and we should also extend the length of how many characters a password should be, so 25 should be the new limit

kerem commented

2026-02-26 18:46:48 +03:00

Author

Owner

@ElTimuro commented on GitHub (Oct 29, 2024):

@dguyen it's an additional rule that is enough if achieved. As dun-sin said 👌

@ElTimuro commented on GitHub (Oct 29, 2024): @dguyen it's an additional rule that is enough if achieved. As dun-sin said 👌

kerem commented

2026-02-26 18:46:48 +03:00

Author

Owner

@dguyen commented on GitHub (Nov 1, 2024):

I don't really understand how this would work, but I've assigned it to you @Dun-sin

@dguyen commented on GitHub (Nov 1, 2024): I don't really understand how this would work, but I've assigned it to you @Dun-sin

kerem commented

2026-02-26 18:46:48 +03:00

Author

Owner

@Dun-sin commented on GitHub (Nov 1, 2024):

I don't really understand how this would work, but I've assigned it to you @Dun-sin

Well here's what I plan to do, think it's pretty simple from what I understand @ElTimuro wants. Just don't throw an error when the password length is more than the current set limit and push that limit to 25.

@Dun-sin commented on GitHub (Nov 1, 2024): > I don't really understand how this would work, but I've assigned it to you @Dun-sin Well here's what I plan to do, think it's pretty simple from what I understand @ElTimuro wants. Just don't throw an error when the password length is more than the current set limit and push that limit to 25.

kerem commented

2026-02-26 18:46:48 +03:00

Author

Owner

@Dun-sin commented on GitHub (Nov 6, 2024):

@ElTimuro @dguyen while trying to create a demo account both on localhost and live site, got stuck at setting up the user profile(it works tho when using google but i can't test the password thing)

in code i see that it's set to disabled here, which means a form element wasn't valid but i got no error for what element input is invalid:

{step === 'CLAIM_USERNAME' && (
                <Button
                  loading={form.formState.isSubmitting}
                  disabled={!form.formState.isValid}
                  type="submit"
                  size="lg"
                  className="flex-1"
                >
                  <Trans>Complete</Trans>
                </Button>
              )}

@Dun-sin commented on GitHub (Nov 6, 2024): @ElTimuro @dguyen while trying to create a demo account both on localhost and live site, got stuck at setting up the user profile(it works tho when using google but i can't test the password thing) ![image](https://github.com/user-attachments/assets/8ea3cc28-34ce-45b8-94e2-cb7d3f2d7bdc) in code i see that it's set to disabled here, which means a form element wasn't valid but i got no error for what element input is invalid: ``` {step === 'CLAIM_USERNAME' && ( <Button loading={form.formState.isSubmitting} disabled={!form.formState.isValid} type="submit" size="lg" className="flex-1" > <Trans>Complete</Trans> </Button> )} ```

kerem commented

2026-02-26 18:46:48 +03:00

Author

Owner

@dguyen commented on GitHub (Nov 6, 2024):

@Dun-sin I can't seem to replicate it, do you have some steps I can follow?

I tested and successfully created an account on live

@dguyen commented on GitHub (Nov 6, 2024): @Dun-sin I can't seem to replicate it, do you have some steps I can follow? I tested and successfully created an account on live

kerem commented

2026-02-26 18:46:48 +03:00

Author

Owner

@Dun-sin commented on GitHub (Nov 7, 2024):

@dguyen here is the exact data I entered, no error message and I couldn't move forward

https://github.com/user-attachments/assets/1e2c83fe-2515-477d-b7f3-a2bfc9f25718

@Dun-sin commented on GitHub (Nov 7, 2024): @dguyen here is the exact data I entered, no error message and I couldn't move forward https://github.com/user-attachments/assets/1e2c83fe-2515-477d-b7f3-a2bfc9f25718

kerem commented

2026-02-26 18:46:48 +03:00

Author

Owner

@catalinpit commented on GitHub (Nov 7, 2024):

@dguyen here is the exact data I entered, no error message and I couldn't move forward

msedge_BYRmxnT7n9.mp4

Hey Dunsin, sorry about that. I managed to reproduce the issue. The password contains the name, which is why this happens. Unfortunately, for some reason, the error is not displayed.

It's the code from ZSignUpFormV2Schema that needs to be updated. More specifically, the path property for the .refine method needs to be specified.

export const ZSignUpFormV2Schema = z
  .object({
    name: z.string().trim().min(1, { message: 'Please enter a valid name.' }),
    email: z.string().email().min(1),
    password: ZPasswordSchema,
    signature: z.string().min(1, { message: 'We need your signature to sign documents' }),
    url: z
      .string()
      .trim()
      .toLowerCase()
      .min(1, { message: 'We need a username to create your profile' })
      .regex(/^[a-z0-9-]+$/, {
        message: 'Username can only container alphanumeric characters and dashes.',
      }),
  })
  .refine(
    (data) => {
      const { name, email, password } = data;
      return !password.includes(name) && !password.includes(email.split('@')[0]);
    },
    {
      message: 'Password should not be common or based on personal information',
      path: ['password'], <<<---- this is missing in the code
    },
  );

@catalinpit commented on GitHub (Nov 7, 2024): > @dguyen here is the exact data I entered, no error message and I couldn't move forward > > msedge_BYRmxnT7n9.mp4 Hey Dunsin, sorry about that. I managed to reproduce the issue. The password contains the name, which is why this happens. Unfortunately, for some reason, the error is not displayed. It's the code from `ZSignUpFormV2Schema` that needs to be updated. More specifically, the `path` property for the `.refine` method needs to be specified. ```tsx export const ZSignUpFormV2Schema = z .object({ name: z.string().trim().min(1, { message: 'Please enter a valid name.' }), email: z.string().email().min(1), password: ZPasswordSchema, signature: z.string().min(1, { message: 'We need your signature to sign documents' }), url: z .string() .trim() .toLowerCase() .min(1, { message: 'We need a username to create your profile' }) .regex(/^[a-z0-9-]+$/, { message: 'Username can only container alphanumeric characters and dashes.', }), }) .refine( (data) => { const { name, email, password } = data; return !password.includes(name) && !password.includes(email.split('@')[0]); }, { message: 'Password should not be common or based on personal information', path: ['password'], <<<---- this is missing in the code }, ); ``` ![CleanShot 2024-11-07 at 17 21 54@2x](https://github.com/user-attachments/assets/cecd62fd-55c9-4894-ad9b-bb8e0c169872)

kerem commented

2026-02-26 18:46:48 +03:00

Author

Owner

@Dun-sin commented on GitHub (Nov 7, 2024):

@dguyen here is the exact data I entered, no error message and I couldn't move forward
msedge_BYRmxnT7n9.mp4

Hey Dunsin, sorry about that. I managed to reproduce the issue. The password contains the name, which is why this happens. Unfortunately, for some reason, the error is not displayed.

It's the code from ZSignUpFormV2Schema that needs to be updated. More specifically, the path property for the .refine method needs to be specified.

export const ZSignUpFormV2Schema = z
  .object({
    name: z.string().trim().min(1, { message: 'Please enter a valid name.' }),
    email: z.string().email().min(1),
    password: ZPasswordSchema,
    signature: z.string().min(1, { message: 'We need your signature to sign documents' }),
    url: z
      .string()
      .trim()
      .toLowerCase()
      .min(1, { message: 'We need a username to create your profile' })
      .regex(/^[a-z0-9-]+$/, {
        message: 'Username can only container alphanumeric characters and dashes.',
      }),
  })
  .refine(
    (data) => {
      const { name, email, password } = data;
      return !password.includes(name) && !password.includes(email.split('@')[0]);
    },
    {
      message: 'Password should not be common or based on personal information',
      path: ['password'], <<<---- this is missing in the code
    },
  );

got it, thanks for the help, will also get that fixed!!

@Dun-sin commented on GitHub (Nov 7, 2024): > > @dguyen here is the exact data I entered, no error message and I couldn't move forward > > msedge_BYRmxnT7n9.mp4 > > Hey Dunsin, sorry about that. I managed to reproduce the issue. The password contains the name, which is why this happens. Unfortunately, for some reason, the error is not displayed. > > It's the code from `ZSignUpFormV2Schema` that needs to be updated. More specifically, the `path` property for the `.refine` method needs to be specified. > > ```tsx > export const ZSignUpFormV2Schema = z > .object({ > name: z.string().trim().min(1, { message: 'Please enter a valid name.' }), > email: z.string().email().min(1), > password: ZPasswordSchema, > signature: z.string().min(1, { message: 'We need your signature to sign documents' }), > url: z > .string() > .trim() > .toLowerCase() > .min(1, { message: 'We need a username to create your profile' }) > .regex(/^[a-z0-9-]+$/, { > message: 'Username can only container alphanumeric characters and dashes.', > }), > }) > .refine( > (data) => { > const { name, email, password } = data; > return !password.includes(name) && !password.includes(email.split('@')[0]); > }, > { > message: 'Password should not be common or based on personal information', > path: ['password'], <<<---- this is missing in the code > }, > ); > ``` > > ![CleanShot 2024-11-07 at 17 21 54@2x](https://private-user-images.githubusercontent.com/25515812/384022452-cecd62fd-55c9-4894-ad9b-bb8e0c169872.jpg?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MzEwMDg1NzQsIm5iZiI6MTczMTAwODI3NCwicGF0aCI6Ii8yNTUxNTgxMi8zODQwMjI0NTItY2VjZDYyZmQtNTVjOS00ODk0LWFkOWItYmI4ZTBjMTY5ODcyLmpwZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDExMDclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQxMTA3VDE5Mzc1NFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTRmMGMzODY3ZjVmZTdiZjhjODMwZTUyMGZiMzZiM2QzYTc1ODdiOWJhNWY5ZTIzYTA4OWExZjZlOGMxNjEyZDEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.rAQc44q671h3UH__xO17nNCH8XXTB702GcyDPWS1fK0) got it, thanks for the help, will also get that fixed!!

kerem commented

2026-02-26 18:46:48 +03:00

Author

Owner

@ElTimuro commented on GitHub (Nov 19, 2024):

Is this ready to review? :)

@ElTimuro commented on GitHub (Nov 19, 2024): Is this ready to review? :)

kerem referenced this issue

2026-02-26 19:31:05 +03:00

[PR #385] [MERGED] feat: reset password #930

Rows
Columns

[GH-ISSUE #1374] Additional Valid Passwort Scheme #385

Describe the improvement you are suggesting in detail

Additional Information & Alternatives (optional)

Do you want to work on this improvement?

Please check the boxes that apply to this improvement suggestion.