Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[5.8] Change password min length to 8 #25957

Merged

Conversation

Projects
None yet
7 participants
@jakebathman
Copy link
Contributor

jakebathman commented Oct 5, 2018

This PR updates the default minimum password length to be 8 (the current default is 6).

⚠️ Note: this requires a companion PR laravel/laravel#4794 in order to update the registration controller and password reset language lines.

Last year, NIST published new standards on memorized secrets (i.e. user passwords), stipulating in Section 5.1.1.1:

Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber.

Password length is only a part of a security strategy employed by the framework, but the move to an 8-character minimum is long overdue.

Please let me know if there are any questions or comments. Thanks!

Update from 6 to 8
- Update the validation method in `PasswordBroker` to check against length of 8
- Update `ResetsPasswords` `rules()` method to use validation rule `min:8`
- Change test method name and example password in `AuthPasswordBrokerTest` to reflect new minimum length

@taylorotwell taylorotwell merged commit a31deba into laravel:master Oct 5, 2018

2 checks passed

continuous-integration/styleci/pr The analysis has passed
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@jakebathman jakebathman deleted the jakebathman:change-password-min-length-to-8 branch Oct 5, 2018

@GrahamCampbell GrahamCampbell changed the title [5.8] Change password min length to 8 [5.7] Change password min length to 8 Oct 6, 2018

@GrahamCampbell

This comment has been minimized.

Copy link
Member

GrahamCampbell commented Oct 6, 2018

You sent this 5.7 here, but framework was 5.8.

@X-Coder264

This comment has been minimized.

Copy link
Contributor

X-Coder264 commented Oct 6, 2018

@GrahamCampbell What do you mean? This was merged into the framework master branch only (which is 5.8) so I don't understand why did you rename the title from 5.8 to 5.7 as this change is not on the 5.7 branch.

@ankurk91

This comment has been minimized.

Copy link
Contributor

ankurk91 commented Oct 7, 2018

@GrahamCampbell

Can you please rename the PR title to [5.8] because it was merged to master branch.

@jakebathman jakebathman changed the title [5.7] Change password min length to 8 [5.8] Change password min length to 8 Oct 8, 2018

@jakebathman

This comment has been minimized.

Copy link
Contributor Author

jakebathman commented Oct 8, 2018

Changed back to [5.8] since this PR targeted master (which will be 5.8 when it's tagged), and does not target the current 5.7 branch.

@GrahamCampbell

This comment has been minimized.

Copy link
Member

GrahamCampbell commented Oct 11, 2018

Changed back to [5.8] since this PR targeted master (which will be 5.8 when it's tagged), and does not target the current 5.7 branch.

The PR to laravel/laravel targetted it's master though, which is 5.7. Develop is 5.8.

@jakebathman

This comment has been minimized.

Copy link
Contributor Author

jakebathman commented Oct 15, 2018

The PR to laravel/laravel targeted develop:

screen shot 2018-10-15 at 10 50 33 am

That's equivalent to 5.8 in that repo. In this one (laravel/framework) master is the target for 5.8.

@GrahamCampbell

This comment has been minimized.

Copy link
Member

GrahamCampbell commented Oct 15, 2018

Ah, perfect. 👍

@ankurk91

This comment has been minimized.

Copy link
Contributor

ankurk91 commented Feb 24, 2019

@driesvints
Do you think that this changes should be documented in 5.8 upgrade guide?
https://laravel.com/docs/master/upgrade

driesvints added a commit to driesvints/docs that referenced this pull request Feb 25, 2019

Document default password length change
Introduced by laravel/framework#25957

Low impact because should only happen when choosing or changing your password.
@driesvints

This comment has been minimized.

Copy link
Member

driesvints commented Feb 25, 2019

@tylernathanreed

This comment has been minimized.

Copy link

tylernathanreed commented Mar 1, 2019

@GrahamCampbell @jakebathman

Since this is security related, will this change be back-ported to 5.5?

@GrahamCampbell

This comment has been minimized.

Copy link
Member

GrahamCampbell commented Mar 1, 2019

No, this is a not a security patch. It's a breaking change to some validation code only.

hkan added a commit to laravel-tr/Laravel5-lang that referenced this pull request Mar 7, 2019

kw-pr added a commit to kw-pr/Laravel-lang that referenced this pull request Mar 8, 2019

kw-pr added a commit to kw-pr/Laravel-lang that referenced this pull request Mar 8, 2019

caouecs added a commit to caouecs/Laravel-lang that referenced this pull request Mar 9, 2019

caouecs added a commit to caouecs/Laravel-lang that referenced this pull request Mar 9, 2019

Tjoosten added a commit to Activisme-be/Spoon that referenced this pull request Mar 10, 2019

caouecs added a commit to caouecs/Laravel-lang that referenced this pull request Mar 17, 2019

caouecs added a commit to caouecs/Laravel-lang that referenced this pull request Mar 17, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.