Password Rules #202
Comments
|
I've had this request before, and the difficulty is that we would have to apply the same rules to the password reset page or the user would be able to change their password and the custom rules on registration would not apply. The password reset page is served from the API, not the shiny app. Some possible work arounds:
I'm leaning towards option 2. Would that work in your case? Another possible solution would be to avoid passwords altogether, and enable email link sign in, where, each time your sign in, all you enter is your email address (no passwords involved ever). Each time you enter your email to sign in, you get an email with a link that you click to sign in. I think I would rather set this up than either of the password difficulty work arounds. Would this pass your security audit? |
|
For our current requirements, we simply need to indicate that the passwords for Polished.tech are strong/complex. Option 2 would reinforce this and allow us more customization if necessary, but my guess is that Polished's defaults are good enough. The no-password solutions would also likely work around our security audit, but we are less apt to adopt that so that users don't need to check their email at each login (is that the behavior that would result?) |
@merlinoa Is it possible to enforce some password rules for password creation? We're doing a security audit and wanted to know if we can enforce a standard or see what the Polished standard is (e.g. length, complexity, special chars). @assanstreamline
The text was updated successfully, but these errors were encountered: