Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

As a Super User, I want to force all users to use strong, secure passwords for their Matomo account #19961

Open
mattab opened this issue Nov 7, 2022 · 0 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that for example enhance Matomo's cabapilities..

Comments

@mattab
Copy link
Member

mattab commented Nov 7, 2022

As a Super User, I want to force all users to use strong, secure passwords for their Matomo account.

This is important as it will help increase the security of the data stored in Matomo.
By ensuring that all users have strong passwords, and that they are forced to set a strong password.

Potential solution:

  • A new General setting, "Force all users to set a strong, secure password. " (<- confirm wording + inline help microcopy)
  • where to put the setting? Ideally we would merge "Login" and "TwoFactorAuth" sections (in "General settings" page) into one section "Login & Security" that would have all settings nicely in one section?

By default, we should use an existing/standard set of strong password checks.
How much do we let super users customise the password policy details (number of min chars, etc. etc.)?

Here is what it looks like in discourse, which would be a great place to start:
image

Here is the text version:

min password length
Minimum password length.

min admin password length
Minimum password length for Admin.

password unique characters
Minimum number of unique characters that a password must have.

block common passwords
Don't allow passwords that are in the 10,000 most common passwords.

Other notes:

Out of scope:

  • Force people to change their password every X weeks is not included in this scope

This feature will be combined with other changes:

@mattab mattab added Enhancement For new feature suggestions that for example enhance Matomo's cabapilities.. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. labels Nov 7, 2022
@mattab mattab added this to the Impact Backlog milestone Nov 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that for example enhance Matomo's cabapilities..
Projects
None yet
Development

No branches or pull requests

1 participant