Thoughts about password policies (discussion @ #tmwdev 2008-08-21)

Configure and enforce password policies between tmwserv and tmwweb:

Both modules, tmwserv and tmwweb should use the same policies to check end enforce passwords. Therefore its just natural to have a common place to configure those policies.

Suggestion: use the tmwserv xml config file and add a section for password policies.

Here is a list of policies that shoul be supported and configurable by the server admin:

• minimum and maximum length of a password
• minimum amount of capital letters
• minimum amount of lowercase letters
• minimum amount of special characters
• list with valid chars to prevent special chars like tab or simple predefine an ascii range of allowed chars
• blacklist with passwords

I have no idea of how the plans look, how the discussions go. Though, if non-Latin scripts are/should be allowed (Unicode), a thought need to be given about that it is fairly uncommon in the scripts of this world to make a difference between capital and lowercase letters. Perhaps combine the two letter rules in one, and if more are needed, instead add a rule of minimum amount of digits (which again may or may not be different for various scripts/languages). Also, if non-Latin Unicode is supported what you mean with the length of the password needs to be defined, as various characters may need different amounts of bytes to be represented... --kess 19:47, 21 August 2008 (CEST)