feat: enforce minimum password length of 8 characters with warning#1874
feat: enforce minimum password length of 8 characters with warning#1874jlima8900 wants to merge 2 commits intoKeeper-Security:releasefrom
Conversation
jlima8900
force-pushed
the
feat/password-generator-minimum
branch
from
d7b0dea to
75b1bd0
Compare
jlima8900
changed the title
|
Note on enterprise password policy:
This PR raises the hardcoded floor from 4 to 8 as a safety net, but the deeper fix would be for That's a larger change (requires |
|
don't submit PRs against master, do it against release branch instead |
|
following up after a repo-local pass: i don't think the enterprise password-rule concern is the blocker here. the concrete gap in this PR is test coverage. this should add targeted unit tests for the new clamp/warning behavior in
the other thing i'd like called out explicitly before merge is the contract change: this no longer honors an explicit |
The $GEN password generator previously allowed passwords as short as 4 characters. This raises the minimum to 8 (NIST SP 800-63B) and logs a warning when the requested length is below minimum, so users with legacy system constraints see what happened. Changes: - Raise minimum from 4 to 8 for rand algorithm - Log warning when requested length is clamped - Update help text examples to use $GEN (default length 20) - Fix typo in help text (algorith → algorithm) - Document character types included by default The default length (20) and maximum (200) are unchanged. The dice and crypto algorithms are unaffected.
Address PR #1874 review from @aaunario-keeper: 9 tests covering the clamp/warning behavior: - $GEN:rand,4 and $GEN:rand,6 clamp to 8 with warning - $GEN:rand,8 does not warn - Default rand, dice, and crypto behavior unchanged Contract change: generate_password() no longer honors explicit $GEN:rand,<8> requests — values below 8 are forced to 8 with a warning. This is intentional policy to prevent weak passwords from being generated through the local record-field helper.
jlima8900
force-pushed
the
feat/password-generator-minimum
branch
from
75b1bd0 to
85aca92
Compare
|
Thanks for the detailed follow-up. Addressing both points: Target branch: Understood — I'll retarget this PR to the release branch. Contract change + test coverage: You're right that this is an intentional policy change —
Agreed that the enterprise password-rule concern is a separate issue — this PR is scoped to the local |
2 participants
Summary
$GENlocal record-field helper$GEN:rand,<8>now clamps to 8 with alogging.warninginstead of silently accepting values as low as 4rand,dice, andcryptoalgorithms unchangedContract change
generate_password()no longer honors explicit$GEN:rand,<N>requests where N < 8. Values below 8 are forced to 8 with a warning. This is intentional policy to prevent weak passwords from being generated through the CLI helper.This applies only to the local
$GENhelper inrecord_edit.py— enterprise password complexity rules and separate workflow-specific paths are unaffected.Test plan
$GEN:rand,4→ clamps to 8, emits warning$GEN:rand,6→ clamps to 8, emits warning$GEN:rand,8→ produces 8 chars, no warning$GEN:rand,24→ produces 24 chars$GEN(no params) → default 20 chars$GEN:rand(no length) → default 20 chars$GEN:dice,5→ unchanged behavior$GEN:crypto→ unchanged behaviorunit-tests/test_password_generator.py, all passing