Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:self-service-password:latest:config_ppolicy [2018/06/27 10:56] (current)
Line 1: Line 1:
 +====== Password policy ======
  
 +<​note>​Configuration file: ''​self-service-password/​conf/​config.inc.local.php''</​note>​
 +
 +===== Hashing =====
 +
 +You can use these schemes to hash the password before sending it to LDAP directory:
 +  * SHA
 +  * SSHA
 +  * MD5
 +  * SMD5
 +  * CRYPT
 +  * clear
 +  * auto
 +
 +Set one of them in ''​$hash'':​
 +<file php>
 +$hash = "​clear";​
 +</​file>​
 +
 +<note important>​This option is ignored with Active Directory mode.</​note>​
 +
 +<note tip>Use ''​auto''​ to get the current password value and find the hash. This requires a read access to the password.</​note>​
 +
 +You can configure the  crypt salt prefix to choose the algorithm (see [[http://​php.net/​manual/​en/​function.crypt.php|crypt documentation]]):​
 +<file php>
 +$hash_options['​crypt_salt_prefix'​] = "​$6$";​
 +</​file>​
 +===== Size =====
 +
 +Set minimal and maximal length in ''​$pwd_min_length''​ and ''​$pwd_max_length'':​
 +<file php>
 +$pwd_min_length = 4;
 +$pwd_max_length = 8;
 +</​file>​
 +
 +<note tip>Set ''​0''​ in ''​$pwd_max_length''​ to disable maximal length checking.</​note>​
 +
 +===== Characters =====
 +
 +You can set the minimal number of lower, upper, digit and special characters:
 +<file php>
 +$pwd_min_lower = 3;
 +$pwd_min_upper = 1;
 +$pwd_min_digit = 1;
 +$pwd_min_special = 1;
 +</​file>​
 +
 +Special characters are defined with a regular expression, by default:
 +<file php>
 +$pwd_special_chars = "​^a-zA-Z0-9";​
 +</​file>​
 +
 +This means special characters are all characters except alphabetical letters and digits.
 +
 +You can also disallow characters from being in password, with ''​$pwd_forbidden_chars'':​
 +<file php>
 +$pwd_forbidden_chars = "​@%";​
 +</​file>​
 +
 +This means that ''​@''​ and ''​%''​ could not be present in a password.
 +
 +You can define how many different class of characters (lower, upper, digit, special) are needed in the password:
 +
 +<file php>
 +$pwd_complexity = 2;
 +</​file>​
 +
 +===== Pwned Passwords =====
 +
 +Allows to check if the password was already compromised,​ using https://​haveibeenpwned.com/​ database:
 +<file php>
 +$use_pwnedpasswords = true;
 +</​file>​
 +
 +===== Reuse =====
 +
 +You can prevent a user from using his old password as a new password if this check is not done by the directory:
 +<file php>
 +$pwd_no_reuse = true;
 +</​file>​
 +
 +===== Show policy =====
 +
 +Password policy can be displayed to user by configuring ''​$pwd_show_policy''​. Three values are accepted:
 +  * ''​always'':​ policy is always displayed
 +  * ''​never'':​ policy is never displayed
 +  * ''​onerror'':​ policy is only displayed if password is rejected because of it, and the user provided his old password correctly.
 +
 +<file php>
 +$pwd_show_policy = "​never";​
 +</​file>​
 +
 +You can also configure if the policy will be displayed above or below the form:
 +<file php>
 +$pwd_show_policy_pos = "​above";​
 +</​file>​