Strict Passwords
Development and Programming
Hey everyone,
I just had a client ask me, what I consider to be a very obvious and reasonable question which I haven’t run into yet. They are currently undergoing a full security audit of their internal systems and the auditor asked if ExpressionEngine can enforce strict passwords. Having a bit of a experience with security audits in the past, I know this to be a pretty typical question. I didn’t see any addons in Devot-EE, and so I was considering building one myself. I was thinking something which:
- Allowed users to toggle different strength requirements (upper/lower, alpha/numeric, special characters)
- Disallow reusing old passwords
However, when looking at the extension hooks available - I didn’t seem to find any that would fire when both:
A. A new user is registered B. A user updates their password information
So my questions are:
- Am I just missing something? Do these hooks exist and I am not seeing them?
- If not, is this something the EL team would consider adding in a future release?
Seems like a pretty important functionality to have particularly for larger corporate clients who have to endure regular security audits.
Thanks so much!
Michael
I came up against the same thing with a client security audit a while back. I did not find any add-ons for this at the time and it would be great if there was functionality to support password security schemes like this.
You can turn on require secure passwords (which must include an upper and lower char as well as a number) and increase the minimum password length in security and session preferences as a first step.