Weak Passwort Policy / Password Enforcement / PasswordPolicyEnforcer on Matomo 5

OliverKoch · March 8, 2024, 4:42pm

Hello,
because the password policy from Matomo was too weak in the past we installed the free plugin “PasswordPolicyEnforcer” longer time ago.
Now I migrated one test environment to Matomo 5.0.2 and realised that this plugin is allowed for Matomo 4 only and not running on Matomo 5 any longer, so as long as the developer will not update this plugin to Matomo 5, we would have the weak Matomo password policy again. This is not allowed in our company.
So at this point the weak password policy stops us to update to Matomo 5. Is there any chance that this will improved soon?

heurteph-ei · March 11, 2024, 2:58pm

Hi @OliverKoch
It seems this plugin is not maintained any more… (since 2020)
Maybe you can fork the project and do the updates in order to make it compatible with Matomo 5?

Also you can even publish your new version to Matomo marketplace:
https://developer.matomo.org/guides/distributing-your-plugin

OliverKoch · March 11, 2024, 4:10pm

Me? I am not a developer. I would expect Matomo to improve the low password security in their product.

heurteph-ei · March 12, 2024, 9:09am

Hi @OliverKoch
I found another plugin, that is compatible with Matomo 5:

OliverKoch · March 12, 2024, 10:07am

Hi Philippe,
Password Verifier has a different function than PasswordPolicyEnforcer and is no substitute. My need is:

Minimum password length: 8
Require at least one uppercase character from Latin alphabet. (A-Z)
Require at least one lowercase character from Latin alphabet. (a-z)
Require at least one number. (0-9)
Require at least one symbol. (!@#$%^&*()_±={}|')

heurteph-ei · March 12, 2024, 1:02pm

Hi @OliverKoch
Then you can add a comment in:

github.com/matomo-org/matomo

As a Super User, I want to force all users to use strong, secure passwords for their Matomo account

opened 03:00AM - 07 Nov 22 UTC

mattab

Enhancement c: Security

## As a Super User, I want to force all users to use strong, secure passwords fo…r their Matomo account. This is important as it will help increase the security of the data stored in Matomo. By ensuring that all users have strong passwords, and that they are forced to set a strong password. ## Potential solution: * A new General setting, "Force all users to set a strong, secure password. " (<- confirm wording + inline help microcopy) * where to put the setting? Ideally we would merge "Login" and "TwoFactorAuth" sections (in "General settings" page) into one section "Login & Security" that would have all settings nicely in one section? By default, we should use an existing/standard set of strong password checks. How much do we let super users customise the password policy details (number of min chars, etc. etc.)? Here is what it looks like in discourse, which would be a great place to start: ![image](https://user-images.githubusercontent.com/466765/200216911-f970c6ae-d247-47f0-9641-8bcc551d7659.png) Here is the text version: ``` min password length Minimum password length. min admin password length Minimum password length for Admin. password unique characters Minimum number of unique characters that a password must have. block common passwords Don't allow passwords that are in the 10,000 most common passwords. ``` Other notes: * if we implement the `Don't allow passwords that are in the 10,000 most common passwords.` this would be similar, but different, from https://plugins.matomo.org/PasswordVerifier#description which sends some hash of password to an API (which we wouldn't want to do) * there is also a plugin for password policy but we wouldn't do it exactly like in that plugin (would rather do it like Discourse does (see above)) https://plugins.matomo.org/PasswordPolicyEnforcer#preview ## Out of scope: * Force people to change their password every X weeks is not included in this scope ## This feature will be combined with other changes: * the existing ability to enforce 2FA across a Matomo instance - it [is already supported that](https://matomo.org/faq/general/faq_27245/) "A user with super user access can force every user to have two-factor authentication enabled." * communicate the password complexity in the UI so users proactively know the password security, see https://github.com/matomo-org/matomo/issues/13070 (where we will also remove the "repeat password" field)