Merge pull request #8600 from creative-commoners/pulls/4.3/password-validator-docs

DOCS Update documentation for password validation rule configuration
This commit is contained in:
Andre Kiste 2018-11-14 12:22:45 +13:00 committed by GitHub
commit d1823665e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -549,23 +549,50 @@ salt values generated with the strongest entropy generators available on the pla
(see [RandomGenerator](api:SilverStripe\Security\RandomGenerator)). This prevents brute force attacks with (see [RandomGenerator](api:SilverStripe\Security\RandomGenerator)). This prevents brute force attacks with
[Rainbow tables](http://en.wikipedia.org/wiki/Rainbow_table). [Rainbow tables](http://en.wikipedia.org/wiki/Rainbow_table).
Strong passwords are a crucial part of any system security. Strong passwords are a crucial part of any system security. So in addition to storing the password in a secure fashion,
So in addition to storing the password in a secure fashion, you can also enforce specific password policies by configuring a
you can also enforce specific password policies by configuring [PasswordValidator](api:SilverStripe\Security\PasswordValidator). This can be done through a `_config.php` file
a [PasswordValidator](api:SilverStripe\Security\PasswordValidator): at runtime, or via YAML configuration.
From SilverStripe 4.3 onwards, the default password validation rules are configured in the framework's `passwords.yml`
file. You will need to ensure that your config file is processed after it. For SilverStripe <4.3 you will need to
use a `_config.php` file to modify the class's config at runtime (see `_config.php` installed in your mysite/app folder
if you're using silverstripe/recipe-core).
```php ```yaml
use SilverStripe\Security\Member; ---
use SilverStripe\Security\PasswordValidator; Name: mypasswords
After: '#corepasswords'
---
SilverStripe\Core\Injector\Injector:
SilverStripe\Security\PasswordValidator:
properties:
MinLength: 7
HistoricCount: 6
MinTestScore: 3
$validator = new PasswordValidator(); # In the case someone uses `new PasswordValidator` instead of Injector, provide some safe defaults through config.
$validator->minLength(7); SilverStripe\Security\PasswordValidator:
$validator->checkHistoricalPasswords(6); min_length: 7
$validator->characterStrength(3, ["lowercase", "uppercase", "digits", "punctuation"]); historic_count: 6
Member::set_password_validator($validator); min_test_score: 3
``` ```
### Configuring custom password validator tests
The default password validation character strength tests can be seen in the `PasswordValidator.character_strength_tests`
configuration property. You can add your own with YAML config, by providing a name for it and a regex pattern to match:
```yaml
SilverStripe\Security\PasswordValidator:
character_strength_tests:
contains_secret_word: '/1337pw/'
```
This will ensure that a password contains `1337pw` somewhere in the string before validation will succeed.
### Other options
In addition, you can tighten password security with the following configuration settings: In addition, you can tighten password security with the following configuration settings:
* `Member.password_expiry_days`: Set the number of days that a password should be valid for. * `Member.password_expiry_days`: Set the number of days that a password should be valid for.