Koozali.org: home of the SME Server

Password policy is a puzzle on SME Server 11 beta

Offline evilmrb

  • 1
  • +0/-0
Password policy is a puzzle on SME Server 11 beta
« on: July 27, 2025, 11:50:48 AM »
Nice to see a new version of SME Server to try out. The slightly changed look is enough to look modern but not so much as to be unfamiliar. However, trying to set up new users was really frustrating. Every attempt I made was greeted with a complaint about something I hadn't done. Referring to the wiki I quickly discovered that the password rules from older versions no longer apply - 7 chars in particular. I would urge you to change the user creation screen to include some text to say what the password rules actually are to avoid putting people off.
« Last Edit: July 28, 2025, 12:39:29 PM by evilmrb »

Offline TerryF

  • grumpy old man
  • *
  • 1,856
  • +6/-0
Re: Password policy is a puzzle on SME SErver 11 beta
« Reply #1 on: July 27, 2025, 12:13:25 PM »
noted, thank you for testing and feedback

You can reset the strength back to old setting if needed
--
qui scribit bis legit

Offline ReetP

  • *
  • 3,960
  • +6/-0
Re: Password policy is a puzzle on SME SErver 11 beta
« Reply #2 on: July 27, 2025, 01:51:03 PM »
You can check the AdminLTE theme too for something more bootstrapy.

Password length increased because it's 2025 and things have changed, but yes, the language files & messaged are still WIP so noted.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline brianr

  • *
  • 991
  • +2/-0
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Offline Jean-Philippe Pialasse

  • *
  • 2,919
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Password policy is a puzzle on SME SErver 11 beta
« Reply #4 on: July 28, 2025, 11:28:15 AM »
as per https://bugs.koozali.org/show_bug.cgi?id=12991

Password rules:
none:           Minimum length only.
normal:         Minimum length, at least one uppercase and one lowercase letter.
intermediate:   Minimum length, at least one uppercase, one lowercase letter, and one number.
strong:         Minimum length, at least one uppercase, one lowercase letter, one number, one special character, and dictionary check.

pasword minimal length could be set, default is 12.

we removed the initial obligation for specific characters. it does not help that mich in bruteforce and limit ability for user to remember the password, which reduce the strength of it. 

see https://www.hivesystems.com/blog/are-your-passwords-in-the-green

if using lowercase only this is good for years.  of course if you use digits only, way less efficient. 
« Last Edit: July 28, 2025, 11:34:58 AM by Jean-Philippe Pialasse »