Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify password requirements #1237

Closed
wants to merge 1 commit into from

Conversation

NicolaiSoeborg
Copy link

A strong password is not necessary complex (https://xkcd.com/936/). Having arbitrary password requirements is a bit of a pain - we should rather push for 2FA / passwordless auth.

I don't think this is a breaking change as it only change a "SHOULD" sentence. Any mismatch between clients / servers should still be 'spec complient' within the old text.

ECP = Enforce Complex Password
Client ECP - Server ECP: ✅
Client ECP - Server not-ECP: ✅
Client not-ECP - Server not-ECP: ✅
Client not-ECP - Server ECP: Potentially M_WEAK_PASSWORD which the client should already be able to handle.

This change will probably make it easier to implement MSC2000

A strong password is not necessary complex (https://xkcd.com/936/). Having arbitrary password requirements is a bit of a pain - we should rather push for 2FA / passwordless auth. 

I don't think this is a breaking change as it only change a "SHOULD" sentence. Any mismatch between clients / servers should still be 'spec complient' within the old text.

ECP = Enforce Complex Password
Client ECP - Server ECP: ✅
Client ECP - Server not-ECP: ✅
Client not-ECP - Server not-ECP: ✅
Client not-ECP - Server ECP: Potentially `M_WEAK_PASSWORD` which the client should already be able to handle.

This change will probably make it easier to implement [MSC2000](matrix-org/matrix-spec-proposals#2000)
@NicolaiSoeborg NicolaiSoeborg requested a review from a team as a code owner September 15, 2022 10:45
@KitsuneRal
Copy link
Member

  1. Relaxing the requirements (even SHOULDs) should still go through an MSC process, in my opinion.
  2. I don't see how this makes it easier to implement MSC2000. That MSC sets forth its own language to define password complexity. If that language is implemented it has to be done to the extent of the MSC, not to the extent the current spec describes; and if it's not, the MSC is irrelevant to whatever is currently said in the spec.

@uhoreg
Copy link
Member

uhoreg commented Sep 21, 2022

Yes, I agree that this should go through the MSC process before being merged.

@turt2live
Copy link
Member

Closing pending MSC, per above reviews.

@turt2live turt2live closed this Sep 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants