Project

General

Profile

Actions

Epic #97387

open

Configurable Password Policies

Added by Torben Hansen over 2 years ago. Updated about 1 year ago.

Status:
Under Review
Priority:
Should have
Assignee:
Category:
-
Start date:
2022-04-15
Due date:
% Done:

83%

Estimated time:
(Total: 0.00 h)
Sprint Focus:

Description

In order to provide strong defaults in regards to password security, TYPO3 will be able to validate user passwords against configurable password policies. This feature will increase the general security for TYPO3 users by providing a default password policy. Also TYPO3 as a CMS would be inline with recommendations on password security from the german BSI.

  • TYPO3 will ships with a default password policy
  • TYPO3 uses the default password policy for all scopes (backend and frontend user passwords)
  • The default password policy can be extended
  • It is possible to define custom password policies
  • TYPO3 will by default only support 2 scopes (BE and FE user passwords), but can be extended to support user defined scopes (e.g. in order to validate custom password fields for tables other than be_users and fe_users)

Technical implementation

A password policy is defined by a set of validators (not Extbase validators). If a password policy consists of multiple validators, they are chained. A Password checked within a password policy must match all configured and active validators.

The PasswordPolicyValidator class will provides a function to validate a given password based on the current password policy for the current scope. The validation result (true/false) will be returned and potential validation error messages can be retrieved from the PasswordPolicyValidator instance.

Validators

Validators for usage in a password policy must implement the PasswordValidatorInterface or extend the AbstractPasswordValidator class. Besides validation logic, a validator must also be able to return an array of strings with password requirements (e.g. "minimun length x chars") in order to provide human readable password requirements. In case of a failed validation a validation error message can be definied.

Validators can be excluded for certain actions (e.g. no current password check for password of new users). Available actions are definied globally in the class PasswordPolicyAction.

Password Policy Configuration

Password Policy configuration is located in LocalConfiguration.php as shown below:

$GLOBALS['TYPO3_CONF_VARS']['SYS']['passwordPolicies'] = [
    'default' => [
        'validators' => [
            \TYPO3\CMS\Core\PasswordPolicy\Validator\CorePasswordValidator::class => [
                'options' => [
                    'minimumLength' => 8,
                    'upperCaseCharacterRequired' => true,
                    'lowerCaseCharacterRequired' => true,
                    'digitCharacterRequired' => true,
                    'specialCharacterRequired' => true,
                ],
                'excludeActions' => [],
            ],
            \TYPO3\CMS\Core\PasswordPolicy\Validator\NotCurrentPasswordValidator::class => [
                'options' => [],
                'excludeActions' => [
                    \TYPO3\CMS\Core\PasswordPolicy\PasswordPolicyAction::NEW_USER_PASSWORD,
                ],
            ],
        ],
    ],
];

$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordPolicy'] = 'default';
$GLOBALS['TYPO3_CONF_VARS']['FE']['passwordPolicy'] = 'default';

Password Policies can globally be disabled (e.g. for development environment) by setting the BE/FE password policy to an empty value in AdditionalConfiguration.php

→ see https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/12.0/Feature-97388-ConfigurablePasswordPolicies.html

JavaScript module and API (TYPO3 backend only)

In order to provide instant feedback for users entering a password, a general JavaScript module needs to be developed, which validates a password when it is entered into a password field. The JavaScript module can be used for either password fields in FormEngine or regular password input fields (e.g. setup module or install tool) if possible.

Example:

A new backend route (similar to the slug suggest route) will use the configured password policy based on the given scope. Since custom password validators may use backend logic (e.g. check password against a deny-list), a client/server integration as described is required and has to be discussed.

Where can password policies be used in TYPO3?

  • Backend and frontend user password change using DataHandler (TCA type=password)
  • Backend user password (setup module)
  • Password reset for backend user
  • Password reset for frontend user
  • Install tool - Create Administrative User
  • Install tool - Install tool password
  • Install tool - Initial admin user

Files

typo3-password-field.png (29.5 KB) typo3-password-field.png Torben Hansen, 2022-04-15 05:40

Subtasks 12 (2 open10 closed)

Feature #97388: Introduce Password Policy feature and implement usage in ext:setupClosedTorben Hansen2022-04-15

Actions
Feature #97389: Add Password Policy check to FormEngine (TCA type=password) and DataHandlerClosedTorben Hansen2022-04-15

Actions
Feature #97390: Add Password Policy check to ext:feloginClosedTorben Hansen2022-04-15

Actions
Feature #97391: Add Password Policy check to ext:backendClosedTorben Hansen2022-04-15

Actions
Feature #97392: Add Password Policy check to ext:installClosed2022-04-15

Actions
Task #97393: Validate password policy on the fly in FormEngineAccepted2022-04-15

Actions
Task #99574: Make password policy ContextData DTO more flexibleClosedTorben Hansen2023-01-17

Actions
Feature #99608: Add password policy action to exclude validators in SU modeClosedTorben Hansen2023-01-18

Actions
Feature #100260: Add ExcludeFromLiveCheckInterfaceNewTorben Hansen2023-03-22

Actions
Feature #100294: Add PSR-14 events to modify ContextData DTOClosedTorben Hansen2023-03-24

Actions
Task #100295: Prevent setting empty password in backend password recoveryClosedTorben Hansen2023-03-24

Actions
Task #100300: Respect security.usePasswordPolicyForFrontendUsers in TCA type=passwordClosedTorben Hansen2023-03-25

Actions

Related issues 5 (2 open3 closed)

Related to TYPO3 Core - Feature #87299: Enhance password handling and two-factor authenticationClosed2018-12-27

Actions
Related to TYPO3 Core - Feature #80792: Password strength meter for BE LoginNew2017-04-10

Actions
Related to TYPO3 Core - Feature #69190: Add password generator "wizard"New2015-08-19

Actions
Related to TYPO3 Core - Feature #80793: provide configurable password policiesClosed2017-04-10

Actions
Related to TYPO3 Core - Task #99349: Use the new password policies in setupDatabaseServiceClosed2022-12-12

Actions
Actions #1

Updated by Torben Hansen over 2 years ago

  • Related to Feature #80793: provide configurable password policies added
Actions #2

Updated by Torben Hansen over 2 years ago

  • Description updated (diff)
Actions #3

Updated by Gerrit Code Review almost 2 years ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75472

Actions #4

Updated by Oliver Hader almost 2 years ago

  • Description updated (diff)
Actions #5

Updated by Oliver Hader almost 2 years ago

  • Related to Feature #87299: Enhance password handling and two-factor authentication added
Actions #6

Updated by Oliver Hader almost 2 years ago

  • Related to Feature #80792: Password strength meter for BE Login added
Actions #7

Updated by Oliver Hader almost 2 years ago

Actions #8

Updated by Oliver Hader almost 2 years ago

  • Related to deleted (Feature #80793: provide configurable password policies)
Actions #9

Updated by Oliver Hader almost 2 years ago

  • Related to Feature #80793: provide configurable password policies added
Actions #10

Updated by Oliver Hader almost 2 years ago

  • Description updated (diff)
Actions #11

Updated by Jochen Roth over 1 year ago

  • Related to Task #99349: Use the new password policies in setupDatabaseService added
Actions #12

Updated by Torben Hansen over 1 year ago

  • Subtask #99574 added
Actions #13

Updated by Torben Hansen over 1 year ago

  • Subtask #99608 added
Actions #14

Updated by Torben Hansen over 1 year ago

  • Subtask #100260 added
Actions #15

Updated by Torben Hansen over 1 year ago

  • Subtask #100294 added
Actions #16

Updated by Torben Hansen over 1 year ago

  • Subtask #100295 added
Actions #17

Updated by Torben Hansen over 1 year ago

  • Subtask #100300 added
Actions #18

Updated by Benni Mack about 1 year ago

  • Target version changed from 12 LTS to Candidate for Major Version
Actions

Also available in: Atom PDF