Feature: #97388 - Introduce configurable password policies¶
See forge#97388
Description¶
TYPO3 now includes a PasswordPolicyValidator component which can be used to validate passwords against configurable password policies. TYPO3 now also includes a default password policy which ensures that passwords meet the following requirements:
- At least 8 chars
- At least one number
- At least one upper case char
- At least one special char
- Must be different than current password (if available)
Password policies can be configured individually for both frontend and backend context. It is also possible to extend a password policy with own validation requirements.
As a first step, the included default password policy is applied to ext:setup to ensure, that new passwords of backend users entered in "User Settings" will match the default password requirements.
Impact¶
The new password of an existing TYPO3 backend user has to meet the default password policy when set using ext:setup.
Configuring password policies¶
A password policy is defined in the TYPO3 global configuration. Each policy
must have a unique identifier (the identifier default
is reserved by TYPO3)
and must at least contain one validator.
The example below shows, how the password policy with the identifier simple
is configured:
$GLOBALS['TYPO3_CONF_VARS']['SYS']['passwordPolicies'] = [
'simple' => [
'validators' => [
\TYPO3\CMS\Core\PasswordPolicy\Validator\CorePasswordValidator::class => [
'options' => [
'minimumLength' => 6,
],
],
],
],
];
The password policy in the example uses the Core
with the
option to require a password with a minimum length of 6 chars.
The password policy identifier is used to assign the defined password policy
to the either backend and/or frontend context. By default, TYPO3 uses the
password policy default
as shown below:
$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordPolicy'] = 'default';
$GLOBALS['TYPO3_CONF_VARS']['FE']['passwordPolicy'] = 'default';
Password policy validators¶
TYPO3 ships with two password policy validators, which are both used in the default password policy.
\TYPO3\CMS\Core\PasswordPolicy\Validator\CorePasswordValidator¶
This validator has the ability to ensure a complex password with a defined minimum length and 4 individual requirements.
The following options are available:
Option | Description | Type | Default |
minimum | Minimum length | Integer | 8 |
upper | Upper case char check | Boolean | false |
lower | Lower case char check | Boolean | false |
digit | Digit check | Boolean | false |
special | Special char check | Boolean | false |
\TYPO3\CMS\Core\PasswordPolicy\Validator\NotCurrentPasswordValidator¶
This validator can be used to ensure, that the new user password is not
equal to the old password. The validator must always be configured with
the exclude action \TYPO3\
,
because it should be excluded, when a new user account is created.
Disable password policies globally¶
To disable the password policy globally (e.g. for local development) an empty string has to be supplied as password policy for both frontend and backend context as shown below:
$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordPolicy'] = '';
$GLOBALS['TYPO3_CONF_VARS']['FE']['passwordPolicy'] = '';
Custom password validator¶
To create a custom password validator, a new class has to be created which
extends \TYPO3\
.
It is required to overwrite the following functions:
public function initialize
Requirements (): void public function validate
(string $password, ?Context Data $context Data = null): bool
Please refer to \TYPO3\
for a detailed implementation example.