Is there any way of enforcing safer passwords for survey administrators? As far as I can see the user change his password to one letter passwords.

I would like to have a minimal number of x characters and minimum of 1 lower case, 1 UPPER CASE and 1 special character.
And a notification to change the password at regular intervals.

I tried looking for this, but came up with nothing.

Using LS3, most recent version,

greetings,

Tammo

Only in 4.X currently

Evant was not added to 3.X

You did not make a plugin for this?

Nobody ask, and there are no real event in 3.X for this

To be honest, I personally think that those restrictions generally lead to the most danger. Suddenly people can not use the passwords they want and then they note them down, write them on a post-it next to their screen, etc. The more you try to force people to use cryptic passwords the more dangerous it gets. I am talking about normal users, not IT people.

You could be right. This is probably true when people do not use a password manager.

Anyway, this is a "must have" for a customer. The IT department decided that. For me no use urguing.

Tammo

holch wrote: To be honest, I personally think that those restrictions generally lead to the most danger.

Size and advice to use sentence maybe.

Without restrictions : user are sometimes so kind for bad people …

holch wrote: The more you try to force people to use cryptic passwords the more dangerous it gets.

It's not about cryptic passwords, it's about exposed passwords. Bruteforcing combined with already known informations.

Most people cannot imagine how many brute-force attacks to logins are happening on the internet in a few minutes.
LimeSurvey as a webapplication is not a top target, cause it isn't automatically containing user data of value (like a webshop) or attracting many users (like website with SEO potential).

In the last 12 months, more SaaS-tools began to implement simple 2FA solutions (e.g. E-Mail with access code for every login). If you use 2FA with more sophisticated tokens, you will need to educate people a lot. The introduction of 2FA should be done, with the case when you don't have access to the second factor (Token lost or broken).

The password complexity should be raised a bit and fine-tuning should be possible for admins.
Username and password should be on different forms to reduce a attack automation a bit.
And additional formfield for OTP or simple security word can reduce attack vector a bit.

Anyway, this is a "must have" for a customer. The IT department decided that. For me no use urguing.

I know - Just saying.

The tougher the rules, the more "creative" users become in remembering passwords and then suddenly all the goo intentions caused exactly the opposite.

And I have no solution for the dilemma.

2FA solutions (e.g. E-Mail with access code for every login).

This solves security problems, but users will hate it because it takes time and the codes not always come as quickly as they are supposed to. Then you need to do something and can't login and have to wait for the email to arrive.

Don't get me wrong, I am fully aware of the risks of easy to crack passwords, but current attempts often lead to rejection of users to the point that a tool becomes 'unusable' for them due to the restrictions.

Tricky but very interesting topic.

There are a 2FA plugin at a time in Store, but seems deleted.