diff options
Diffstat (limited to 'template')
-rw-r--r-- | template/en/default/admin/params/auth.html.tmpl | 70 | ||||
-rw-r--r-- | template/en/default/global/password-features.html.tmpl | 4 | ||||
-rw-r--r-- | template/en/default/global/user-error.html.tmpl | 24 |
3 files changed, 78 insertions, 20 deletions
diff --git a/template/en/default/admin/params/auth.html.tmpl b/template/en/default/admin/params/auth.html.tmpl index 95db59022..99c52f759 100644 --- a/template/en/default/admin/params/auth.html.tmpl +++ b/template/en/default/admin/params/auth.html.tmpl @@ -24,6 +24,70 @@ desc = "Set up your authentication policies" %] +[% desc_passwdqc_min = BLOCK %] + [Int0, Int1, Int2, Int3, Int4] + <p> + The minimum allowed password lengths for different kinds of passwords + and passphrases. "undef" can be used to disallow passwords of a given + kind regardless of their length. Each subsequent number is required to + be no larger than the preceding one. + + <p> + Int0 is used for passwords consisting of characters from one character + class only. The character classes are: digits, lower-case letters, + upper-case letters, and other characters. There is also a special + class for non-ASCII characters, which could not be classified, but are + assumed to be non-digits. + <p> + Int1 is used for passwords consisting of characters from two character + classes that do not meet the requirements for a passphrase. + <p> + Int2 is used for passphrases. Note that besides meeting this length + requirement, a passphrase must also consist of a sufficient number of + words (see the "passphrase_words" option below). + <p> + Int3 and Int4 are used for passwords consisting of characters from + three and four character classes, respectively. + + <p> + When calculating the number of character classes, upper-case letters + used as the first character and digits used as the last character of a + password are not counted. + + <p> + In addition to being sufficiently long, passwords are required to + contain enough different characters for the character classes and the + minimum length they have been checked against. +[% END %] + +[% desc_passwdqc_max = BLOCK %] + The maximum allowed password length. This can be used to prevent users + from setting passwords that may be too long for some system services. + It must be larger than 8. +[% END %] + +[% desc_passwdqc_passphrase_words = BLOCK %] + The number of words required for a passphrase, or 0 to disable the + support for user-chosen passphrases. +[% END %] + +[% desc_passwdqc_match_length = BLOCK %] + The length of common substring required to conclude that a password is + at least partially based on information found in a character string, + or 0 to disable the substring search. Note that the password will not + be rejected once a weak substring is found; it will instead be + subjected to the usual strength requirements with the weak substring + partially discounted. + <p> + The substring search is case-insensitive and is able to detect and + remove a common substring spelled backwards. +[% END %] + +[% desc_random_bits = BLOCK %] + The size of randomly-generated passphrases in bits (24 to 85). +[% END %] + + [% param_descs = { auth_env_id => "Environment variable used by external authentication system " _ "to store a unique identifier for each user. Leave it blank " _ @@ -133,6 +197,12 @@ "will be permitted to create their own accounts and all accounts " _ "will have to be created by an administrator.", + passwdqc_min => desc_passwdqc_min, + passwdqc_max => desc_passwdqc_max + passwdqc_passphrase_words => desc_passwdqc_passphrase_words, + passwdqc_match_length => desc_passwdqc_match_length, + passwdqc_random_bits => desc_random_bits, + password_complexity => "Set the complexity required for passwords. In all cases must the passwords " _ "be at least ${constants.USER_PASSWORD_MIN_LENGTH} characters long." _ diff --git a/template/en/default/global/password-features.html.tmpl b/template/en/default/global/password-features.html.tmpl index 5d6c0f8c1..ab7ae1d81 100644 --- a/template/en/default/global/password-features.html.tmpl +++ b/template/en/default/global/password-features.html.tmpl @@ -10,7 +10,7 @@ style="display: none" class="[% class FILTER html %]" data-password-page="[% password_page FILTER html %]" - data-password-complexity="[% Param("password_complexity") FILTER html %]"> + data-password-complexity="no_constraints"> Password must be 8 characters or longer, and match at least 3 of the following requirements: @@ -24,4 +24,4 @@ <div id="password-msg"></div> <div id="password-meter-label" style="display: none">Strength: <span id="password-meter" class="meter"></span></div> -</div>
\ No newline at end of file +</div> diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index a622a5eee..3e4d7c4a0 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1505,7 +1505,7 @@ [% title = "Password Change Requests Not Allowed" %] The system is not configured to allow password change requests. - [% ELSIF error == "passwords_dont_match" %] + [% ELSIF error == "password_mismatch" %] [% title = "Passwords Don't Match" %] The two passwords you entered did not match. @@ -1513,25 +1513,13 @@ [% title = "Incorrect Password" %] You did not enter your password correctly. - [% ELSIF error == "password_too_short" %] - [% title = "Password Too Short" %] - The password must be at least - [%+ constants.USER_PASSWORD_MIN_LENGTH FILTER html %] characters long. - [% IF locked_user %] - You must <a href="token.cgi?a=reqpw&loginname=[% locked_user.email FILTER uri %]&token=[% issue_hash_token(['reqpw']) FILTER uri %]"> - request a new password</a> in order to log in again. + [% ELSIF error == "password_insecure" %] + [% title = "Password Fails Requirements" %] + The password does not meet our security requirements + [% IF reason %] + for the following reason: [% reason FILTER html %] [% END %] - [% ELSIF error == "password_not_complex" %] - [% title = "Password Fails Requirements" %] - The Password must meet three of the following requirements - <ul> - <li>uppercase letters</li> - <li>lowercase letters</li> - <li>numbers</li> - <li>symbols</li> - <li>longer than 12 characters</li> - </ul> [% IF locked_user %] You must <a href="token.cgi?a=reqpw&loginname=[% locked_user.email FILTER uri %]&token=[% issue_hash_token(['reqpw']) FILTER uri %]"> request a new password</a> in order to log in again. |