[SERVER-7363] Allow users to set specify a password validation policy Created: 15/Oct/12 Updated: 08/Jan/24 |
|
| Status: | Open |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | features we're not sure of |
| Type: | New Feature | Priority: | Minor - P4 |
| Reporter: | Ian Whalen (Inactive) | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 26 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||||||||||||||
| Description |
|
Things like password length, strength, etc. |
| Comments |
| Comment by Willem Kupper [ 05/Jan/24 ] |
|
Resurrecting this ancient thread. I just wanted to comment that in 2024 it is absolutely unbelievable that MongoDB does not have any method of enforcing password security or complexity. Might as well say "We never want to be used for government purposes or in a secure/audited environment" and be honest about it. |
| Comment by Andreas Nilsson [ 04/Mar/16 ] |
|
Thanks for your question narges.ghaedi@tecnotree.com. We have no plan to enforce password requirements on the database level in the near future. Our general best practice recommendation is to use x.509 client certificates, or to integrate with existing user catalogs in the organization via LDAP or Kerberos authentication. A centralized user administration and life cycle has several security benefits. We currently don't support expiry date on user accounts but we are considering this as a feature. Account lockouts it is a tricky topic for any service-service architecture since it allows for trivial DoS attacks. Let me know if this answers your questions. Regards, |
| Comment by Narges Ghaedi [ 04/Mar/16 ] |
|
Hi Team |