You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Allow additional words to be added to the disallowed password dictionary
Problem
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Per current NIST password recommendations, context specific passwords should be disallowed - for example the application name, the site URL, etc.
Solution
I would like a password requirements option to define additional words that are not allowed in passwords - where I could add my company name, my company website etc. These additional words could be checked against in the same way breached passwords are checked against when verifying a new password is valid.
Additional context
NIST recommendation - this is a subset of point 4, and an extension of ticket #2733:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
Passwords obtained from previous breach corpuses.
Dictionary words.
Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
Context-specific words, such as the name of the service, the username, and derivatives thereof.
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
The text was updated successfully, but these errors were encountered:
(Put feature request title here)
Allow additional words to be added to the disallowed password dictionary
Problem
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Per current NIST password recommendations, context specific passwords should be disallowed - for example the application name, the site URL, etc.
Solution
I would like a password requirements option to define additional words that are not allowed in passwords - where I could add my company name, my company website etc. These additional words could be checked against in the same way breached passwords are checked against when verifying a new password is valid.
Additional context
NIST recommendation - this is a subset of point 4, and an extension of ticket #2733:
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
The text was updated successfully, but these errors were encountered: