Configurable password constraints
Open, LowPublic



Let instance admins configure certain password constraints, like minimum length.


Password constraints are almost always annoying to users -- especially everyday users. They introduce friction during a crucial onboarding step, causing people to leave and never return again. And they lead to average users choosing passwords that they instantly forget and don't save to a password manager, and thus can never log in again.

Of course, usability needs to be balanced with the need for security. Some instances will have a higher need for password security than others, so we should support those needs.


  • What other constraints are needed besides minimum length? (We should consult different WF admins)


Instance admins


By default, passwords should have no constraints besides: length > 0 (current behavior).

Add a new value to the [app] config section, in the same vein as MinUsernameLen. In the UI, make sure any constraints are clearly communicated before a user submits the form with an invalid password -- whether this means the constraints are statically spelled out on the page, or dynamically shown while the user types in a password. Do final validation on the server side, for both regular auth and OAuth.

Event Timeline

matt triaged this task as Low priority.Jan 4 2020, 6:04 PM
matt created this task.