Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change password validator configuration to be secure #2119

Closed
eganov opened this issue Mar 23, 2023 · 3 comments · Fixed by #2308
Closed

Change password validator configuration to be secure #2119

eganov opened this issue Mar 23, 2023 · 3 comments · Fixed by #2308

Comments

@eganov
Copy link

eganov commented Mar 23, 2023
edited
Loading

Investigating a security issue on a bank's site led me to this project. The password policy defined in lms.yml configuration file appears to cause numerous productive systems to allow for passwords of length 2. This is because developers apparently miss to override the min_length: 2 validator option in production.

See also password.rst:

AUTH_PASSWORD_VALIDATORS:
-   NAME: django.contrib.auth.password_validation.UserAttributeSimilarityValidator
-   NAME: common.djangoapps.util.password_policy_validators.MinimumLengthValidator
      OPTIONS:
        min_length: 2

Although it is not really the responsibility of this project, I suggest this value to be changed to conform to latest password policy recommendations. For example, regarding password length NIST says minimum of 8. Microsoft says minimum of 12. OWASP says minimum of 8, in some places.
@github-project-automation github-project-automation bot moved this to Backlog - Other in docs.openedx.org Apr 5, 2023
@vahid75
Copy link
Contributor

vahid75 commented Dec 15, 2024

Hi @feanil . If you agree with @eganov opinion, I can work on it, both changing the MinValidator to be more secure and updating the documentations. I would be happy to contribute to both the codebase and the documentation.

@feanil
Copy link
Contributor

feanil commented Dec 18, 2024

@vahid75 that would be great! Please go ahead and work on it and let me know how I can help.

vahid75 added a commit to vahid75/edx-documentation that referenced this issue Dec 21, 2024
@vahid75
fix: Use the correct default minimium password length mentioned in in…
3c44047 
…stall operation document

The default minimum password length  mentioned in edx-platform/lms/envs/common.py is 8 characters but at install operation document you see 2.
closes openedx#2119
@vahid75 vahid75 mentioned this issue Dec 21, 2024
Merged
@vahid75
Copy link
Contributor

vahid75 commented Dec 21, 2024

The OpenEdx source code uses the right minimum length and the documentation is outdated (it was my bad for not checking the edx-platform code). I have created a PR on this repo to mention the correct value. For more information see the above PR description

feanil pushed a commit to vahid75/edx-documentation that referenced this issue Jan 7, 2025
@vahid75 @feanil
fix: Use the correct default minimium password length mentioned in in…
2c17882 
…stall operation document

The default minimum password length  mentioned in edx-platform/lms/envs/common.py is 8 characters but at install operation document you see 2.
closes openedx#2119
@feanil feanil closed this as completed in 60d6cfd Jan 7, 2025
@github-project-automation github-project-automation bot moved this from Backlog - Other to Done in docs.openedx.org Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
docs.openedx.org
Status: Done
Milestone
No milestone
3 participants
@feanil @vahid75 @eganov