[SERVER-7363] Allow users to set specify a password validation policy Created: 15/Oct/12  Updated: 08/Jan/24

Status: Open
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: features we're not sure of

Type: New Feature Priority: Minor - P4
Reporter: Ian Whalen (Inactive) Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 26
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-10855 Add a way to specify in createUser an... Closed
Duplicate
is duplicated by SERVER-18369 Plans for support password validation... Closed
is duplicated by SERVER-21462 The database does not support configu... Closed
is duplicated by SERVER-10022 Password complexity enforcement on se... Closed
is duplicated by SERVER-3095 Need to specify a minimum password le... Closed
Related
is related to SERVER-3095 Need to specify a minimum password le... Closed
Assigned Teams:
Server Security
Participants:
Case:

 Description   

Things like password length, strength, etc.



 Comments   
Comment by Willem Kupper [ 05/Jan/24 ]

Resurrecting this ancient thread. I just wanted to comment that in 2024 it is absolutely unbelievable that MongoDB does not have any method of enforcing password security or complexity. Might as well say "We never want to be used for government purposes or in a secure/audited environment" and be honest about it.

Comment by Andreas Nilsson [ 04/Mar/16 ]

Thanks for your question narges.ghaedi@tecnotree.com.

We have no plan to enforce password requirements on the database level in the near future. Our general best practice recommendation is to use x.509 client certificates, or to integrate with existing user catalogs in the organization via LDAP or Kerberos authentication. A centralized user administration and life cycle has several security benefits.

We currently don't support expiry date on user accounts but we are considering this as a feature.

Account lockouts it is a tricky topic for any service-service architecture since it allows for trivial DoS attacks.

Let me know if this answers your questions.

Regards,
Andreas Nilsson

Comment by Narges Ghaedi [ 04/Mar/16 ]

Hi Team
For system which migrating from other RDBMS like oracle to Mongodb covering Security items is important.Please share Mongodb Plan to support enforce Policy like below items.
Password complexity : Ensure password combination of letters, numbers and special characters
Password History: Do not allow last 3 passwords in password change process
Expiration for individual usernames :fx. 60 days
Account lockout Policy for individual usernames: username lockout after 5 failed login

Generated at Thu Feb 08 03:14:19 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.