Option to disable strong password policy enforcement #6904
Comments
|
I second this. In a small home lab deployment this is an annoyance. The ability to accept the "danger" and disable password complexity should be possible. |
|
Second this as well. This "feature" resulted in me being locked out for good. |
|
Add me to this, In a small home lab deployment with no external access this is annoying AF |
|
Same here... local access only... some ENV parameter or so maybe... |
|
Good to see I'm not the only one that wants to be able to disable this. I'm all for strong passwords when they are relevant but if you REALLY want security, you don't use passwords at all. You use PKI and client certificates, which, I might add, would be a nice feature to have. ;-) |
|
Why should I pick a password for Portainer that is even stronger than the server-password im using? Makes no sense. Let me choose whatever I need for my system. Im gonna roll back to previous version until fixed. |
|
Hi all, thanks for the feedback on this. I'm discussing options internally with the team here and will let you know what the outcome of those conversations is. |
|
I strongly second this! Downgraded immediately. |
Again, it resulted in me not being able to login to Portainer at all. There was definitely no typo in the password used. This is therefore more than an inconvenience. |
|
seconded, very much. |
|
Seconded this, make it an option but not rudely enforced. |
|
Fully agree, please make it an option instead of enforcing it, as it's an extreme measure, which is exasperating, at least for me (and probably others too). |
|
I hope this gets removed as well. Very annoying. |
|
Seconded, what a pointless restriction to force on local networks. |
|
IMO it should be freely configurable - max and min length, number of required character classes, max age. |
|
Oh dear... back to a previous version for me - this is unworkable. Sure it's OK by default (although a pain), but not to be able to turn off is unworkable. Thanks. |
|
Reverted to previous version until this becomes optional - password strength is irrelevant when Portainer is simply making access to containers on a Raspberry Pi easier, behind a firewall in a home environment. |
|
Thanks for all your comments and feedback everyone. It seems we have overdone the password policy in this case! In light of the feedback that we've received, we are removing the restriction that is enforcing the mix of lower case, upper case, numeric and special characters; which means that any passphrase that is at least 12 characters long will be accepted in the 2.13.1 patch release. |
|
...not good enough. make it configurable the way it should: let the administrator define what the policy should be. |
|
this is what a password policy on freeipa offers to be configurable: and for anyone who can't read german:
and what you see there is what i will be using on my internal network once i switch everything to ipa, which basically means as long as the password is 8 characters long, anything goes, with 10 minute logout if you fail more than 6 times. |
fully agree, 12 characters for a home environment is still too much |
|
Just plain curuosity, how did you even identify this as a topic, without actually reading our passwords? But back to this topic, I would rather ask for the option of 2 factor, then to have 12 characters minimum. 'cause I agree if you are really using portainer outside of private use, it better be protected well. Even though I would never expose it directly to the Internet. |
|
@huib-portainer I'd add some option to just disable password checking policy in general - having it turned on as default could make sense. Fancy fine granular policy definitions would be nice, but are optional IMHO...
Yep, that I wondered as well... |
|
I'm sure my Raspberry Pi will sleep well at night knowing you're worrying about safety for it too - but insisting on a 12 character password will ensure that I simply save that detail in my browser (as I currently do not), making it shared and therefore weaker. Please provide the option to remove this new password policy, and/or provide us with a mechanism to set strength requirements for ourselves. |
The slider sets the minimum password length required. You can of course use a password much longer than this. I will pass the feedback on the interface method on to the UX team, however. |
We provide the ability to use external authentication providers already which bypasses the built-in authentication, and we are actively looking at adding other providers in the future (for example Authelia). I'd suggest starting a separate Github issue around this so we can gather that feedback separately from this rather long thread. |
|
Oh well, I don't want to run all those damn docker things at home if it's going to be this much trouble. |
You still can. If you don't want to downgraded to 2.11.1 until they fix it, there are other products out there that to the same thing as Portainer. One of them, already mentioned above, is Yatch https://yacht.sh/ |
Thank you, I'll go with this one. |
|
Portainer CE-2.14.0 is here.
All this makes me feel very, very disappointed... 😞 |
wait someone say they going to do something about it at the end of the mouth hopefully |
|
This thread has been about disabling the enforcement of the strong password policy, which 2.14 has done. It has not been about disabling password authentication entirely - this should be opened as a separate feature request if it is desired. As the issue this thread is about has been alleviated in the 2.14 release, I am closing the thread. |
|
How can I set the password length before portainer installation? With an environment variable? |
|
Ehm, how do i actually use this now? It asks for 12 character password on install. |
|
The simplest way is to use a 12 character initial password. After the initial setup is complete, just change the password length and set the correct password. |
|
Thanks, i did that |
|
12 characters doesn't automatically make a strong passwords. The password @$$ is a lot stronger and harder to brute force than 123456789abc |
|
so what about this? seems to be an issue for years. just installed portainer and have to use a useless long passwort. what is this shit? |
|
@apfffr - It has been fixed. There is a setting for number of characters to use. Change that for fit your desires. Create a user and assign a password. |
|
If you are setting up your user/password during a new installation, you will need a 12-character password. Then, you can enter the settings to set the character length and set a new password. |
If you summarize it so simply, it sounds even more stupid :( |
|
Almost 2 years later and people still crying abou this... Set a password, change the preferences, done. Unsubscribed. |
|
I found it troublesome to come up with a 12-character password for temporary use. I initially repeated the password like |
Yeah now that I know I can change it, setting a one-time 12 characters temporary password is not a big deal. Hell, you can even set it as 12345689012 or aaaaaaaaaaaa and then adjust the password rules before you change it to your favorite. |
|
The thing is, 2 years later or not, this is still a weird design choice, with all due respect. And the proposed workaround is not satisfying to me: it looks weird in my deploy scripts, and it's simply unnecessary pain. I'm currently in the process of setting up a staging environment for my homelab. This staging environment is ephemeral and inaccessible from the outside world. I don't need a strong password there. Heck, I don't even need a password at all. I just want to set a simple one like '1234' to be iso with prod while still typing it quickly. When using the cloud hosted offers of Portainer this probably makes a lot of sense. But when you're hosting by yourself you know what your use case is, and only you can decide which policy is relevant for which scenario. See my use case just above: I hate having Portainer think in my place here, that's not why I self host open source services. I expect this kind of "protecting you from yourself" behaviour from proprietary solutions, that's a given, but I'm really sad to see it in the open source world, especially still ongoing years after the issue was raised. Why not just use an env var, a runtime parameter or whatever else to allow disabling this policy? Why would devs @ Portainer think allowing to just tweak the password length requirement after first login (making it useless in an automated deploy environment) is a better solution? Why spending time to develop features that decrease the number of ways we can use Portainer? I'm really confused. |
Because: their project, their way. It was annoying for sure, but 2 years later and it's still the same. I'm pretty sure they're not going to change it back. Options:
I also did not like it, but it is what it is and I moved on. |
This is a truism. Of course. I think we can still emit criticism though (and I did my best to make mine constructive, I don't think it's just me venting).
We don't know, man. Their project, their schedule. :D Could be a matter of number of people complaining, could be a matter of dev bandwidth, could be a matter of reasons to make the change... In any case, left this message in a bottle because I felt like it.
I considered many of those options, for now I'm doing 1. + registering the staging password in my browser, as stupid as it is; 2. is a little overkill and 4. too much maintenance for such a trivial problem (I don't think this deserves the maintenance effort, because yes there is a space between "it's worth me criticizing it" and "it's worth forking and maintaining the fork" 😄 ). Option 3 is actually interesting, I didn't consider it. But at first glance it seems a little flaky/too complicated to me: containers being ephemeral by nature, if the image doesn't give you a customisation option at startup, it means you gotta mount the customisation data each time, or modify the image directly with commands configuring the data; in both cases you meddle with the private implementation, and again, it means maintenance costs. But maybe I'm missing something in your suggestion. Anyway, yes, this was just my 2 cents, I know very well they don't have to act on it. Thank you for the suggestions though. |
|
this entire thread is a monument to the arrogance of coders. The community has asked they change something back, and the devs are plugging their ears screaming Sounds like a community fork is in order. |
Godspeed! |
Removed minimum password length for hobbyists issue portainer#6904
|
annnd done.. for those who want to run with any password length. I give you the portainer-genx fork install instructions docker volume create portainer_data docker run -d -p 8000:8000 -p 9443:9443 --name portainer-genx --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_genx_data:/data phoenixalight/portainer-genx:latest problem solved, community heard and respected. how hard was that? |
|
I'm unsure when this feature was developed, but I can now set the password length in the "Settings > Authentication" page. (reference)
Still, I can't find a way to override the "12" character validations, but after logging in with a |
and others
Hello,
I would very much like to have this feature disabled. It does not provide anything in my local network, except discomfort.
I see this issue is closed, but the problem is still there. Will you do something about it?
Originally posted by @djbobyd in #6846 (comment)
The text was updated successfully, but these errors were encountered: