These two site settings have some interplay:
- Min Password Length (default: 10)
- Block Common Passwords (default: on)
We figured a minimum password length of 10 was a bit too high and relaxed it to 8, but later were surprised to see that “password” was now allowed as a password, despite the other option still being on.
Digging into common_passwords.rb, it turns out the list of common passwords which Discourse checks against has been filtered to remove all the ones under 10 characters. Makes sense for the defaults.
Changing the password list looks like a bit of a pain as it’s stored inside the Docker container and the path isn’t configurable. A plugin could probably override it but I’m not sure that’s the right approach or if the plugin would be able to hook things early enough (unchecked).
On our forum, we’ll go back to the default 10 character minimum for a simple life. So we don’t really need anything, but maybe one or more of these makes sense:
- The password list could be configurable.
- Pro: May also benefit non-English forums.
- The default password list on disk could be unfiltered, then filtered as it is loaded into memory, based on the minimum length setting.
- Pro: Retains the speed and memory benefits, at a minor cost to startup time.
- Con: Would require new code to re-load/re-filter the list if the setting was changed, or admin education message telling them the server has to be restarted.
- Con: For multi-site, the password list is stored in memory once for all sites. If each side had different minimum length settings then new code would need writing.
- The minimum length setting could be moved into app.yml.
- Pro: Could do the filtering at rebuild time.
- Con: Setting is harder to find, and takes the site down to change.
- Display a warning that reducing min_password_length effectively breaks block_common_passwords.
- Pro: Probably the easiest. It could simply be added to the option description.
- Or something else. People who know Discourse better may have better solutions.