Discovery: Enforce entropy requirements for new user passwords
Problem
GitLab currently enforces password length within the configuration of an instance, but does not permit easy modification within the UI. Further, GitLab does not provide the ability to customize complexity rules for passwords, which may be required by customers' internal password/information security policies. Administrators cannot appropriately manage risk without flexibility in defining password entropy requirements easily.
Details from Support
ZD: https://gitlab.zendesk.com/agent/tickets/78998
On this page, https://about.gitlab.com/security/ we describe GitLab corporation's security governance policy for passwords:
Do application, system, and device passwords (including routers, firewalls, databases, and external social spaces) require passwords to have the following characteristics: 1. minimum length of 8 characters, 2. chosen from any acceptable character sets available on the target system, 3. includes at least one alphabetic and one numeric character.) YES
Should GitLab the product enforce those rules as well? Currently you can make a password with 8 aaaaaaaa
.
Proposal
- Allow an instance administrator to set an entropy requirement for new passwords.
- To reduce effort in the first iteration, we can elect to enforce this for only new user passwords.
We could consider using these gems:
- https://github.com/phatworx/devise_security_extension
- https://github.com/fnando/password_strength
- https://github.com/bdmac/strong_password
The MVC for this could be to allow administrators to specify a new password's minimum length within the UI and generate an informational notice upon completion informing the user of their password strength.
In future iterations, we can introduce:
- dictionary comparison for known, bad or breached passwords
- visible, real-time password strength meter
- failed password attempt limits & lockout (e.g. 3 failed attempts before lockout)
- account lockout settings (e.g. locked out for 1 hour on first lock, 12 hours on second, etc)
Implementation
Please see the implementation issue for this MVC.
Action Items
-
Determine level of frontend support required -
Create separate FE issue
-
Additional Information
GitLab recently updated its internal Password Policy Guidelines based on information shared in comments below.