Overview

Let instance admins configure certain password constraints, like minimum length.

Why

Password constraints are almost always annoying to users -- especially everyday users. They introduce friction during a crucial onboarding step, causing people to leave and never return again. And they lead to average users choosing passwords that they instantly forget and don't save to a password manager, and thus can never log in again.

Of course, usability needs to be balanced with the need for security. Some instances will have a higher need for password security than others, so we should support those needs.

Questions

• What other constraints are needed besides minimum length? (We should consult different WF admins)

Users

Instance admins

Implementation

By default, passwords should have no constraints besides: length > 0 (current behavior).

Add a new value to the [app] config section, in the same vein as MinUsernameLen. In the UI, make sure any constraints are clearly communicated before a user submits the form with an invalid password -- whether this means the constraints are statically spelled out on the page, or dynamically shown while the user types in a password. Do final validation on the server side, for both regular auth and OAuth.