summaryrefslogtreecommitdiffstats
path: root/template
diff options
context:
space:
mode:
Diffstat (limited to 'template')
-rw-r--r--template/en/default/admin/params/auth.html.tmpl70
-rw-r--r--template/en/default/global/password-features.html.tmpl4
-rw-r--r--template/en/default/global/user-error.html.tmpl24
3 files changed, 78 insertions, 20 deletions
diff --git a/template/en/default/admin/params/auth.html.tmpl b/template/en/default/admin/params/auth.html.tmpl
index 95db59022..99c52f759 100644
--- a/template/en/default/admin/params/auth.html.tmpl
+++ b/template/en/default/admin/params/auth.html.tmpl
@@ -24,6 +24,70 @@
desc = "Set up your authentication policies"
%]
+[% desc_passwdqc_min = BLOCK %]
+ [Int0, Int1, Int2, Int3, Int4]
+ <p>
+ The minimum allowed password lengths for different kinds of passwords
+ and passphrases. "undef" can be used to disallow passwords of a given
+ kind regardless of their length. Each subsequent number is required to
+ be no larger than the preceding one.
+
+ <p>
+ Int0 is used for passwords consisting of characters from one character
+ class only. The character classes are: digits, lower-case letters,
+ upper-case letters, and other characters. There is also a special
+ class for non-ASCII characters, which could not be classified, but are
+ assumed to be non-digits.
+ <p>
+ Int1 is used for passwords consisting of characters from two character
+ classes that do not meet the requirements for a passphrase.
+ <p>
+ Int2 is used for passphrases. Note that besides meeting this length
+ requirement, a passphrase must also consist of a sufficient number of
+ words (see the "passphrase_words" option below).
+ <p>
+ Int3 and Int4 are used for passwords consisting of characters from
+ three and four character classes, respectively.
+
+ <p>
+ When calculating the number of character classes, upper-case letters
+ used as the first character and digits used as the last character of a
+ password are not counted.
+
+ <p>
+ In addition to being sufficiently long, passwords are required to
+ contain enough different characters for the character classes and the
+ minimum length they have been checked against.
+[% END %]
+
+[% desc_passwdqc_max = BLOCK %]
+ The maximum allowed password length. This can be used to prevent users
+ from setting passwords that may be too long for some system services.
+ It must be larger than 8.
+[% END %]
+
+[% desc_passwdqc_passphrase_words = BLOCK %]
+ The number of words required for a passphrase, or 0 to disable the
+ support for user-chosen passphrases.
+[% END %]
+
+[% desc_passwdqc_match_length = BLOCK %]
+ The length of common substring required to conclude that a password is
+ at least partially based on information found in a character string,
+ or 0 to disable the substring search. Note that the password will not
+ be rejected once a weak substring is found; it will instead be
+ subjected to the usual strength requirements with the weak substring
+ partially discounted.
+ <p>
+ The substring search is case-insensitive and is able to detect and
+ remove a common substring spelled backwards.
+[% END %]
+
+[% desc_random_bits = BLOCK %]
+ The size of randomly-generated passphrases in bits (24 to 85).
+[% END %]
+
+
[% param_descs = {
auth_env_id => "Environment variable used by external authentication system " _
"to store a unique identifier for each user. Leave it blank " _
@@ -133,6 +197,12 @@
"will be permitted to create their own accounts and all accounts " _
"will have to be created by an administrator.",
+ passwdqc_min => desc_passwdqc_min,
+ passwdqc_max => desc_passwdqc_max
+ passwdqc_passphrase_words => desc_passwdqc_passphrase_words,
+ passwdqc_match_length => desc_passwdqc_match_length,
+ passwdqc_random_bits => desc_random_bits,
+
password_complexity =>
"Set the complexity required for passwords. In all cases must the passwords " _
"be at least ${constants.USER_PASSWORD_MIN_LENGTH} characters long." _
diff --git a/template/en/default/global/password-features.html.tmpl b/template/en/default/global/password-features.html.tmpl
index 5d6c0f8c1..ab7ae1d81 100644
--- a/template/en/default/global/password-features.html.tmpl
+++ b/template/en/default/global/password-features.html.tmpl
@@ -10,7 +10,7 @@
style="display: none"
class="[% class FILTER html %]"
data-password-page="[% password_page FILTER html %]"
- data-password-complexity="[% Param("password_complexity") FILTER html %]">
+ data-password-complexity="no_constraints">
Password must be 8 characters or longer,
and match at least 3 of the following requirements:
@@ -24,4 +24,4 @@
<div id="password-msg"></div>
<div id="password-meter-label" style="display: none">Strength: <span id="password-meter" class="meter"></span></div>
-</div> \ No newline at end of file
+</div>
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index a622a5eee..3e4d7c4a0 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1505,7 +1505,7 @@
[% title = "Password Change Requests Not Allowed" %]
The system is not configured to allow password change requests.
- [% ELSIF error == "passwords_dont_match" %]
+ [% ELSIF error == "password_mismatch" %]
[% title = "Passwords Don't Match" %]
The two passwords you entered did not match.
@@ -1513,25 +1513,13 @@
[% title = "Incorrect Password" %]
You did not enter your password correctly.
- [% ELSIF error == "password_too_short" %]
- [% title = "Password Too Short" %]
- The password must be at least
- [%+ constants.USER_PASSWORD_MIN_LENGTH FILTER html %] characters long.
- [% IF locked_user %]
- You must <a href="token.cgi?a=reqpw&amp;loginname=[% locked_user.email FILTER uri %]&amp;token=[% issue_hash_token(['reqpw']) FILTER uri %]">
- request a new password</a> in order to log in again.
+ [% ELSIF error == "password_insecure" %]
+ [% title = "Password Fails Requirements" %]
+ The password does not meet our security requirements
+ [% IF reason %]
+ for the following reason: [% reason FILTER html %]
[% END %]
- [% ELSIF error == "password_not_complex" %]
- [% title = "Password Fails Requirements" %]
- The Password must meet three of the following requirements
- <ul>
- <li>uppercase letters</li>
- <li>lowercase letters</li>
- <li>numbers</li>
- <li>symbols</li>
- <li>longer than 12 characters</li>
- </ul>
[% IF locked_user %]
You must <a href="token.cgi?a=reqpw&amp;loginname=[% locked_user.email FILTER uri %]&amp;token=[% issue_hash_token(['reqpw']) FILTER uri %]">
request a new password</a> in order to log in again.