feat: enforce minimum password length of 8 characters with warning#1874
feat: enforce minimum password length of 8 characters with warning#1874jlima8900 wants to merge 1 commit intoKeeper-Security:masterfrom
Conversation
The $GEN password generator previously allowed passwords as short as 4 characters. This raises the minimum to 8 (NIST SP 800-63B) and logs a warning when the requested length is below minimum, so users with legacy system constraints see what happened. Changes: - Raise minimum from 4 to 8 for rand algorithm - Log warning when requested length is clamped - Update help text examples to use $GEN (default length 20) - Fix typo in help text (algorith → algorithm) - Document character types included by default The default length (20) and maximum (200) are unchanged. The dice and crypto algorithms are unaffected.
jlima8900
force-pushed
the
feat/password-generator-minimum
branch
from
d7b0dea to
75b1bd0
Compare
jlima8900
changed the title
|
Note on enterprise password policy:
This PR raises the hardcoded floor from 4 to 8 as a safety net, but the deeper fix would be for That's a larger change (requires |
|
don't submit PRs against master, do it against release branch instead |
2 participants
Summary
The
$GENpassword generator allows passwords as short as 4 characters. This raises the minimum to 8 and logs a warning when the length is clamped.Changes
$GEN:rand,16→$GEN(uses default 20)diceandcryptoalgorithms unaffectedWhy 8, not 16
Legacy systems (mainframes, older databases, some LDAP implementations) enforce max password lengths of 8-14 characters. Setting minimum to 16 would make Commander unusable for those systems. 8 is the NIST SP 800-63B baseline and accommodates legacy constraints while eliminating trivially weak passwords.
The warning ensures users know when their requested length was adjusted.
Test plan
$GENgenerates 20-character password (default, unchanged)$GEN:rand,24generates 24-character password$GEN:rand,6generates 8-character password + logs warning$GEN:rand,4generates 8-character password + logs warning$GEN:rand,8generates 8-character password, no warning$GEN:dice,5unaffected$GEN:cryptounaffected