Allow enforcing minimum password strength #29913
Comments
elasticmachine
added
:Security/Authentication
|
|
is there any due date for this? |
|
Is this coming (ever) for this security-conscious product from a security-savvy company? |
|
Has this issue been resolved/fixed in the current release? |
|
For users that require password policies, the best solution is to rely on an external identity provider instead of using the native realm. The native realm is generally used to get started or for simple scenarios, and it's not optimal for enterprise environments. For example, users can be managed via LDAP or via SSO, using identity providers that have password policy options that can be enforced. |
|
I have a use case where we have both a small number of locally configured user accounts and also have AD integration. But more importantly my customer requires from a compliance standpoint that we need the local accounts to have some level of password complexity as well as having the passwords expire after a period of time. This isn't for the built-in accounts but for anything that would be used by a local admin/user, these accounts exist in the event there is an issue with AD authentication. |
|
The implementation of a password policy for users is currently a pressing need. It is especially relevant for the Elastic SIEM solution, as it directly impacts audit compliance. We kindly request the addition of a feature to configure password policies for users. |
|
Any Progress on Password Policy ? |
Original comment by @loekvangool:
We should allow administrators to add more requirements to passwords. We now (5.0.0) enforce a minimum length of 6 (at least in UI), but many enterprises require more.
Taking inspiration from Wikipedia, we could support:
I'm proposing that out of these we at least add support for 1, 2, 3. Bonus kudos if we support LINK REDACTED, which basically means: if the password reaches a minimum length of, say, 20, drop the other rules.
The text was updated successfully, but these errors were encountered: