Is it possible to allow weak passwords (control password policy) with Fief?

[yaroslaff]

I believe high requirements for passwords are not always good and improves security - sometimes it's very bad:

• it's hard in testing. I may want to use password "12345" until I put service in production. And this is best password for development :-)
• users are forgetting their complex passwords and lose access to service (recovery is time-consuming and sometimes not possible)
• users do not like to invent complex passwords and may just decide not to register if this is painful
• users may need to write passwords on post-it or in public notes like rentry.co or telegra.ph
• if user wants to use his secure password like "Hor$eBA++ERY" but we require digits, user will just use his 2nd choice password "horse11111"

And this is not just my opinion, NIST recommendations agrees with me (Q-B05 and Q-B06): https://pages.nist.gov/800-63-FAQ/#q-b05

I'm not putting it into "Ideas" category because I'm not sure if Fief already has this feature or not.

So, I have an question: Is it possible to disable/configure password strength check in Fief, maybe make zxcvbn_rs_py check optional?
If not - is it worth to implement it? Maybe I'd try to make patch with this feature.

[fief-bailiff[bot]]

Hail, @yaroslaff 👋 Welcome to Fief's kingdom!

Our team will get back to you very soon to help.

In the meantime, take a minute to star our repository ⭐️

Farewell!

[frankie567]

Hi @yaroslaff 👋

I completely agree with you that too complex passwords rules are not a good idea. That said, allowing 12345 or abc is probably not a good idea neither.

The nice thing with the zxcvbn algorithm is that it doesn't enforce rules but compute a password complexity. So the password iamaverylongpassword is considered a Good password because of its length.

That said, I'm open to add a configuration variable to disable the strength enforcement in local dev.

[yaroslaff]

I did this change on my local fief, and want to discuss it before sending pull request.
I added two variables to Settings:

    password_min_length: int = 8
    password_min_score: int = 3

(which could be overriden from .env if needed, but if these variables are not set, fief is working as before). And I did changes in PasswordValidation class which now uses values from settings for MIN_PASSWORD_LENGTH and MIN_PASSWORD_STRENGTH_SCORE instead of hardcoded values.

Now I reach my goal - I can manage password strength requirements as I want. First question: Does this looks good for you and I can clean-up and prepare pull request or should I make it some other way?

And other question to discuss:
As I see, password strength is used in fief/templates/macros/forms.html, where it's "Weak" (<=2), then Acceptable (score==3) or "Good" (score==4). So, if fief is configured to allow passwords with score==2, User still see "Weak" and red "progress bar" (but in fact "Change password" button would work for him and set new password). Maybe (in this patch or in next patch) we should have two indicators? e.g progress bar works like advice/recommendation about password strength, but also some other indicator (red/green traffic light or enabled/disabled "change password" button) to indicate, when password (maybe weak password) is really acceptable. So UI gentle recommends user to make stronger password, but does not pushes him if password matches some minimal requirements.

[frankie567]

So, if I understand you correctly, you defined settings for the following variables:

fief/fief/services/password.py

Lines 7 to 9 in 868f9eb

	MIN_PASSWORD_LENGTH = 8
	MAX_PASSWORD_LENGTH = 128
	MIN_PASSWORD_STRENGTH_SCORE = 3

That's interesting indeed. I would welcome a PR with this.

Regarding the UI, I don't think it's required to do something for now. I'm OK with having the red bar and gives the feedback that the password is allowed or not only on submission.