feat: enforce minimum password length of 8 characters with warning#1874
Open
jlima8900 wants to merge 1 commit intoKeeper-Security:masterfrom
Open
feat: enforce minimum password length of 8 characters with warning#1874jlima8900 wants to merge 1 commit intoKeeper-Security:masterfrom
jlima8900 wants to merge 1 commit intoKeeper-Security:masterfrom
Conversation
The $GEN password generator previously allowed passwords as short as 4 characters. This raises the minimum to 8 (NIST SP 800-63B) and logs a warning when the requested length is below minimum, so users with legacy system constraints see what happened. Changes: - Raise minimum from 4 to 8 for rand algorithm - Log warning when requested length is clamped - Update help text examples to use $GEN (default length 20) - Fix typo in help text (algorith → algorithm) - Document character types included by default The default length (20) and maximum (200) are unchanged. The dice and crypto algorithms are unaffected.
jlima8900
force-pushed
the
feat/password-generator-minimum
branch
from
d7b0dea to
75b1bd0
Compare
jlima8900
changed the title
Author
|
Note on enterprise password policy:
This PR raises the hardcoded floor from 4 to 8 as a safety net, but the deeper fix would be for That's a larger change (requires |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
$GENpassword generator allows passwords as short as 4 characters. This raises the minimum to 8 and logs a warning when the length is clamped.Changes
$GEN:rand,16→$GEN(uses default 20)diceandcryptoalgorithms unaffectedWhy 8, not 16
Legacy systems (mainframes, older databases, some LDAP implementations) enforce max password lengths of 8-14 characters. Setting minimum to 16 would make Commander unusable for those systems. 8 is the NIST SP 800-63B baseline and accommodates legacy constraints while eliminating trivially weak passwords.
The warning ensures users know when their requested length was adjusted.
Test plan
$GENgenerates 20-character password (default, unchanged)$GEN:rand,24generates 24-character password$GEN:rand,6generates 8-character password + logs warning$GEN:rand,4generates 8-character password + logs warning$GEN:rand,8generates 8-character password, no warning$GEN:dice,5unaffected$GEN:cryptounaffected