Entropy requirements for new user passwords MVC
Problem to solve
We've explored this issue and now need to implement the MVC for this feature.
Proposal
A "Minimum Password Length" setting within the Admin panel. This setting should apply a minimum length requirement for new user passwords.
| Mock-up (Draft) | Prototype | Location |
|---|---|---|
 |
https://drive.google.com/file/d/1nHTkLq-QZlijRCwcVq2lyXx7gX-2rP1N/view |  |
| Initial draft mock-up for this MVC. | Working prototype for the MVC. | The area in Admin Panel where this feature would live for reference. |
- This change should not require a restart, if possible.
- This field should accept an integer value no less than 8 and present an appropriate error
- If the password exceeds the maximum length for a password, it should generate an error
- This setting should apply only to new passwords (new users and password resets/changes)
- User-facing password fields should inform the user when their password does not meet the specified requirement
- The default value should be any existing minimum length value
Additional Information
This MVC is based on NIST guidance and GitLab's internal password policy update.
We will not be addressing password complexity requirements (minimum number of special characters, capitals, etc) in this iteration since that is antithetical to NIST guidance.
Existing Gems that may be helpful:
- https://github.com/phatworx/devise_security_extension
- https://github.com/fnando/password_strength
- https://github.com/bdmac/strong_password
Permissions and Security
This is viewable only to Administrators for now.
What does success look like, and how can we measure that?
Success for this feature is likely tied to usage data of the feature. This may be X number of customers with a saved setting or who save a setting specifically via the UI admin panel. We'll need to narrow this.