# Password Policies
A password policy defines different limitations for passwords and therefore has an impact on their creation process and security.
A07:2021# Background
# Context
Password policies define different specifications for user passwords. A variety of these specifications can be found in the following sources:
The following requirements could be elaborated.
| Requirement | Possible implementation through a library? |
|---|---|
| Password is at least 12 characters long | ✔️ |
| Password can have a length of at least 64 and up to 128 characters | ✔️ |
| No password pruning | ❌ |
| Allow all unicode characters | ✔️ |
| Password should not be under the most common ones | ❌ |
| Password-Strength-Meter should support strong passwords | ✔️ |
| Historic passwords don't influence new ones | ❌ |
| No periodical password changing enforced | ✔️ |
Further requirements for the management of passwords which generally can not be implemented by libraries:
- Browser password manager should be supported
- Password-fields should offer a possibility to view the password again
- User should be allowed to change their passwords
# Problems
- The implementation of the above mentioned requirements
- No all-in-one solution through frameworks and libraries
# Solution
- Usage of Third-Party Apps like Keycloak (opens new window)
- Custom configuration of libraries or regular expressions. Not recommended!
# Technology
DANGER
In order to fullfil the above requirements, a high level of configuration of the developer is required. Therefore: Use third-party apps which solve these issues!
# Node.js Libraries
- The libraries password-sheriff (opens new window) and password-validator (opens new window) are the most popular libraries to define a password policy. However, they only offer a framework to define own policies without any Security by Default.
- zxcvbn (opens new window) is one of the most known and also by the literature (opens new window) recommended library to evaluate the strength of passwords. The usage of this library is recommended since it offers Security by Default.
- Libraries to check passwords against often used ones exist with dumb-passwords (opens new window) being the most popular one. Even so, it was not updated since 2016 and is therefore not recommended.
TIP
To solve this problem, the usage of APIs like for example haveibeenpwned (opens new window) is recommended.
# Java
- As seen in Node.js, Java also offers a library to define password policies. The library is called Passay (opens new window) and suffers from the same issues as seen above.
- Furthermore, the Password-Strength-Meter library zxcvbn4j (opens new window) can and should be used.