Enforce a standard policy for local passwords by default #10150

New Issue

adam · 2025-12-29T21:27:33+01:00

adam commented

2025-12-29 21:27:33 +01:00

Originally created by @jeremystretch on GitHub (Aug 28, 2024).

Originally assigned to: @arthanson on GitHub.

NetBox version

v4.0.9

Feature type

Change to existing functionality

Proposed functionality

Although NetBox supports the enforcement for configurable password policy, it does not assert any policy by default. This FR proposes defining a simple default compliance policy for local passwords. The following criteria are proposed:

Minimum length of 12 characters
At least one each of lowercase characters, uppercase characters, numeric digits, and symbols

(This new default policy can be disabled by setting AUTH_PASSWORD_VALIDATORS = [] in the NetBox configuration.)

Use case

This will provide a reasonable baseline for ensuring the use of strong local passwords.

Database changes

No response

External dependencies

No response

Originally created by @jeremystretch on GitHub (Aug 28, 2024). Originally assigned to: @arthanson on GitHub. ### NetBox version v4.0.9 ### Feature type Change to existing functionality ### Proposed functionality Although NetBox supports the enforcement for [configurable password policy](https://netboxlabs.com/docs/netbox/en/stable/configuration/security/#auth_password_validators), it does not assert any policy by default. This FR proposes defining a simple default compliance policy for local passwords. The following criteria are proposed: - Minimum length of 12 characters - At least one each of lowercase characters, uppercase characters, numeric digits, and symbols (This new _default_ policy can be disabled by setting `AUTH_PASSWORD_VALIDATORS = []` in the NetBox configuration.) ### Use case This will provide a reasonable baseline for ensuring the use of strong local passwords. ### Database changes _No response_ ### External dependencies _No response_

adam added the status: accepted type: feature complexity: low labels 2025-12-29 21:27:33 +01:00

adam closed this issue

2025-12-29 21:27:34 +01:00

adam commented

2025-12-29 21:27:34 +01:00

@RangerRick commented on GitHub (Aug 30, 2024):

FYI, this is overkill for defaults, but I ended up making a custom auth plugin that implements OWASP's recommendations for a complex password, using a regex. Putting it here in case anyone comes looking for something similar. :)

from django.core.exceptions import ValidationError
from django.utils.translation import gettext as _
import re

class OWASPValidator:
  def __init__(self):
    self.owasp_regex = re.compile('^(?:(?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))(?!.*(.)\1{2,})[A-Za-z0-9!~<>,;:_=?*+#."&§%°()\|\[\]\-\$\^\@\/]{12,128}$')

  def validate(self, password, user=None):
    if not self.owasp_regex.match(password):
      raise ValidationError(
        _("Password must meet the current OWASP recommendation for complex passwords: 12 to 128 characters, requiring at least 3 out 4 of uppercase and lowercase letters, numbers and special characters, and no more than 2 equal characters in a row."),
        code="password_too_weak",
      )

  def get_help_text(self):
    return _(
      "Password must meet the current OWASP recommendation for complex passwords: 12 to 128 characters, requiring at least 3 out 4 of uppercase and lowercase letters, numbers and special characters, and no more than 2 equal characters in a row."
    )

@RangerRick commented on GitHub (Aug 30, 2024): FYI, this is overkill for defaults, but I ended up making a custom auth plugin that implements OWASP's recommendations for a complex password, using a regex. Putting it here in case anyone comes looking for something similar. :) ```python from django.core.exceptions import ValidationError from django.utils.translation import gettext as _ import re class OWASPValidator: def __init__(self): self.owasp_regex = re.compile('^(?:(?=.*\d)(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[^A-Za-z0-9])(?=.*[a-z])|(?=.*[^A-Za-z0-9])(?=.*[A-Z])(?=.*[a-z])|(?=.*\d)(?=.*[A-Z])(?=.*[^A-Za-z0-9]))(?!.*(.)\1{2,})[A-Za-z0-9!~<>,;:_=?*+#."&§%°()\|\[\]\-\$\^\@\/]{12,128}$') def validate(self, password, user=None): if not self.owasp_regex.match(password): raise ValidationError( _("Password must meet the current OWASP recommendation for complex passwords: 12 to 128 characters, requiring at least 3 out 4 of uppercase and lowercase letters, numbers and special characters, and no more than 2 equal characters in a row."), code="password_too_weak", ) def get_help_text(self): return _( "Password must meet the current OWASP recommendation for complex passwords: 12 to 128 characters, requiring at least 3 out 4 of uppercase and lowercase letters, numbers and special characters, and no more than 2 equal characters in a row." ) ```

Sign in to join this conversation.

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#10150