From 9ab6fb0efd1c9a35d5d6e44226cce6fd7f5189a7 Mon Sep 17 00:00:00 2001 From: Karla Felix Date: Thu, 4 Apr 2024 13:17:13 -0300 Subject: [PATCH] Enforce new password rules to keystone accounts This review will be enforcing new password rules to Keystone accounts, the new rules are: - Minimum 12 characters - At least 1 Uppercase letter - At least 1 number - At least 1 special character - Cannot reuse past 5 passwords Signed-off-by: Karla Felix --- debian/stx/password-rules.conf | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/debian/stx/password-rules.conf b/debian/stx/password-rules.conf index ac18ef9..2e1a7ff 100644 --- a/debian/stx/password-rules.conf +++ b/debian/stx/password-rules.conf @@ -18,20 +18,23 @@ # feature, values must be greater than 1. This feature depends on the `sql` # backend for the `[identity] driver`. (integer value) # Minimum value: 1 -unique_last_password_count = 3 +unique_last_password_count = 5 # The regular expression used to validate password strength requirements. By # default, the regular expression will match any password. The following is an # example of a pattern which requires at least 1 letter, 1 digit, and have a -# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature +# minimum length of 12 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{12,}$ This feature # depends on the `sql` backend for the `[identity] driver`. (string value) -password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{7,}$ +password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{12,}$ # Describe your password regular expression here in language for humans. If a # password fails to match the regular expression, the contents of this # configuration variable will be returned to users to explain why their # requested password was insufficient. (string value) -password_regex_description = Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character +password_regex_description = Password must have a minimum length of 12 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character + +# Specifies the number of days after which passwords expire and must be changed. +password_expires_days = 90 # The number of seconds a user account will be locked when the maximum number # of failed authentication attempts (as specified by `[security_compliance] -- 2.34.1