EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #10271
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] Standard password security
- To: "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>
- Subject: Re: [EP-tech] Standard password security
- From: Peter Edwards <P.L.Edwards@leeds.ac.uk>
- Date: Fri, 26 Sep 2025 10:45:45 +0000
CAUTION: This e-mail originated outside the University of Southampton. Here's an example regex which tests a password for a minimum length of 14 characters, with uppercase and lowercase letters, numbers and a symbol (from the set @$!%*?&): https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fregex101.com%2Fr%2FHOEy5h%2F1&data=05%7C02%7Ceprints-tech%40ecs.soton.ac.uk%7Ce6f1a1b73c04459d9f6408ddfce9db4b%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638944803536507500%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=CDp4j3SBYb8ncdxM0M1b54QbFURrVnS8%2BMzEInYxD7Y%3D&reserved=0 I'm not sure how you would use this in the $c->{validate_user} subroutine in cgf.d/user_validate.pl though... Peter Peter Edwards Application Support Analyst University of Leeds ________________________________________ From: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> on behalf of Agung Prasetyo W. <prazetyo@gmail.com> Sent: 26 September 2025 10:29 To: David R Newman Cc: eprints-tech@ecs.soton.ac.uk Subject: Re: [EP-tech] Standard password security CAUTION: External Message. Use caution opening links and attachments. CAUTION: This e-mail originated outside the University of Southampton. CAUTION: This e-mail originated outside the University of Southampton. Hi David, Thanks for the answer. However, I don't know how to add the regular expression. This password check applies when the admin creates a new user, changes their own or a user's password, and when a user changes their own password. Please help. Thank you Best regards Agung PW On Fri, 26 Sept 2025 at 14:44, David R Newman <drn@ecs.soton.ac.uk<mailto:drn@ecs.soton.ac.uk>> wrote: You should be able to add something to cfg.d/user_validate.pl<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fuser_validate.pl%2F&data=05%7C02%7Ceprints-tech%40ecs.soton.ac.uk%7Ce6f1a1b73c04459d9f6408ddfce9db4b%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638944803536553390%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ybP4hZ9C09tozVsRtVgX%2FH2G5vWyjdPnjSPUkz%2FVdaM%3D&reserved=0> to run a regular expression or whatever analysis you want over the the password provided and return a warning message if the password does not meet required standards. However, admins can typically ignore validation warnings, so to ensure they cannot set a less than secure password, you should probably also use cfg.d/user_fields_automatic.pl<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fuser_fields_automatic.pl%2F&data=05%7C02%7Ceprints-tech%40ecs.soton.ac.uk%7Ce6f1a1b73c04459d9f6408ddfce9db4b%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638944803536589612%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=FRG4YEFTp%2BgXWXorjKP7o2Zytm%2B%2BnpOCzmTsDKxfACY%3D&reserved=0> to make sure the new password gets unset, (so the password is not updated in the user record until their new password is considered sufficiently secure). You may have to separately write something for /cgi/register to check the initial password a user wants to set, if you allow new users to register rather than having accounts initially created for them. On 26/09/2025 7:40 am, Agung Prasetyo W. wrote: CAUTION: This e-mail originated outside the University of Southampton. CAUTION: This e-mail originated outside the University of Southampton. Hi, I'd like to ask, is it possible that when a user or admin changes their password, the password must be at least 14 characters long? This is related to institutional security standards, which require a minimum password length of 14 characters. It would be better if passwords also met the standard for uppercase letters, lowercase letters, numbers, and symbols. Thank you. Regards, Agung PW *** Options: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FEprints-tech_Mailing_List&data=05%7C02%7Ceprints-tech%40ecs.soton.ac.uk%7Ce6f1a1b73c04459d9f6408ddfce9db4b%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638944803536614490%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=SXy7s12BE68aNPkHAMk7ov9UVJh6TYEnbvAmnpGxw7w%3D&reserved=0<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FEprints-tech_Mailing_List&data=05%7C02%7Ceprints-tech%40ecs.soton.ac.uk%7Ce6f1a1b73c04459d9f6408ddfce9db4b%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638944803536639698%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=4W4fXXaWyxl2HrMZtM%2BQHcsahUUjmvmfGbFnMSsrOlw%3D&reserved=0> *** Archive: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=05%7C02%7Ceprints-tech%40ecs.soton.ac.uk%7Ce6f1a1b73c04459d9f6408ddfce9db4b%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638944803536664015%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=07IPsefMTMp9fjLP1ukvshMfzFjMkU4K9iaSChDxmeQ%3D&reserved=0<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=05%7C02%7Ceprints-tech%40ecs.soton.ac.uk%7Ce6f1a1b73c04459d9f6408ddfce9db4b%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638944803536688300%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ryE%2Bch0lP8ukvpxXtSHjMlKR0rh3xhluCgMFHR7%2FF40%3D&reserved=0> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2F&data=05%7C02%7Ceprints-tech%40ecs.soton.ac.uk%7Ce6f1a1b73c04459d9f6408ddfce9db4b%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638944803536714002%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=MsV22NS8FAKnxTz1pHVBAfzrNwy6xmfj%2BIlRc1BzxAk%3D&reserved=0<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2F&data=05%7C02%7Ceprints-tech%40ecs.soton.ac.uk%7Ce6f1a1b73c04459d9f6408ddfce9db4b%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C638944803536734883%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=U0RFk7Aa%2BgN9FTCddhDx89xBoUhHeapOW4XVoYrsYUE%3D&reserved=0>
- References:
- [EP-tech] Standard password security
- From: "Agung Prasetyo W." <prazetyo@gmail.com>
- Re: [EP-tech] Standard password security
- From: David R Newman <drn@ecs.soton.ac.uk>
- Re: [EP-tech] Standard password security
- From: "Agung Prasetyo W." <prazetyo@gmail.com>
- [EP-tech] Standard password security
- Prev by Date: Re: [EP-tech] New site still inaccessible
- Next by Date: [EP-tech] Mailing list outage on (next) Tuesday 30th September
- Previous by thread: Re: [EP-tech] Standard password security
- Next by thread: [EP-tech] Mailing list outage on (next) Tuesday 30th September
- Index(es):