[Security issue] Password policy

Hi,

I will start explaining my use case:
Top management required me to create hundreds of ProjeQtOr accounts for different usages (mostly to access some documents).
I was looking at the history of some user the other day and found that many users had never set their password.
It means they never logged in and still have the default password (which is the same for everyone).
This is not secure at all, as one can usurpate identity of someone else by guessing their login ID and just typing the default password.

These are my recommandations:
- Default password must be randomized, it should not be the same for everyone. User still need to change it the first time as it is sent through email which is not secure.
- User must click on a link to activate their account within 24 hours, otherwise it is locked out.
- There should be some minimal requirements for the randomized password or when a user change their password. ANSSI (French national security agency) recommends that a password must be at minimum 12 characters, including uppercase, lowercase, digits and specials. As I can already see some complaining about this, this feature should be disableable or adjustable (but I recommend to enable it by default).
- #1805 and #2525 are the same tickets about "forgot password" button. It should optionally be solved as well, following the same above recommandations (new password reset must follow same rules, and link becomes outdated in case it is not clicked within 24 hours OR if user has successfully logged in with his usual password since reset email was sent).
- #2641: 2FA rocks, this is probably the best login security advice we can give you, there are tons of HOTP/TOTP libraries out there, however I can understand that you will want to implement other points before looking into this one.

Can we expect to have at least the 2 first points addressed in next version?

Thank you,

hello,

Your first recommendation it's already included in roadmap, with low priority.
When it will be included we can make your fourth proposal.
We already have considered your third point.

But for this points, we will not do it.

User must click on a link to activate their account within 24 hours, otherwise it is locked out.

- #2641: 2FA rocks, this is probably the best login security advice we can give you, there are tons of HOTP/TOTP libraries out there, however I can understand that you will want to implement other points before looking into this one.

To finish, your recommendations it will not be in the next version, we focus on the sponsored development.

Sad to see that security of ProjeQtOr accounts is taken so lightly
I can understand that sponsored development must have high priority, but security and legal (GDPR) issues should be at same level if not higher, however you keep postponing them...
Features are cool but they should not sacrifice security/legal requirements.

Thank you for the suggestion, I'm not familiar with LDAP but I know we have an Active Directory internally.
We have many external users, is it possible to couple LDAP with "custom" users not in AD?