[Enhancement]: Password Policy #997

New issue

Open

opened 2026-02-20 01:13:23 -05:00 by deekerman · 9 comments

deekerman commented 2026-02-20 01:13:23 -05:00

Owner

Copy link

Originally created by @theniwo on GitHub (Feb 25, 2023).

We need administrative settings to control the strenth of a password.

Currently users can set their password to anything unsafe.

These requirements should be enableable

• A-Z
• a-z
• 0-9
• Special characters
• Password length
• No reuse of passwords

Originally created by @theniwo on GitHub (Feb 25, 2023). ### We need administrative settings to control the strenth of a password. Currently users can set their password to anything unsafe. These requirements should be enableable * A-Z * a-z * 0-9 * Special characters * Password length * No reuse of passwords

deekerman added the

enhancement

label 2026-02-20 01:13:23 -05:00

deekerman commented 2026-02-20 01:13:23 -05:00

Author

Owner

Copy link

@DieselTech commented on GitHub (Feb 25, 2023):

I would love to see the adoption of the NIST's new password guidelines as a starting point:

• User-generated passwords should be at least 8 characters in length.
• Users should be able to create passwords at least 64 characters in length.
• All ASCII/Unicode characters should be allowed, including emojis and spaces.
• Stored passwords should be hashed and salted, and never truncated. The salt SHALL be at least 32 bits in length and be chosen arbitrarily so as to minimize salt value collisions among stored hashes.
• Passwords should not expire.
• Users should be prevented from using sequential characters (e.g., “1234”) or repeated characters (e.g., “aaaa”).
• Two-factor authentication (2FA) should not use SMS for codes.
• Knowledge-based authentication (KBA), such as “What was the name of your first pet?”, should not be used.
• Users should be allowed 10 failed password attempts before being locked out of a system or service.
• Passwords should not have hints.
• Complexity requirements — like requiring special characters, numbers or uppercase letters — should not be used.
• Context-specific words, such as the name of the service or the individual’s username, should not be permitted.
• Prospective passwords should be compared against password breach databases and rejected if there’s a match.

The length thing is what will trip up most people. It should be at least 8 but that's it. Enforcing long password "just because" has shown to have the opposite effect. It makes people create gibberish password that aren't actually secure just to get to the limit. Also making them include different characters like A-Z, a-z, 0-9 isn't safe. It just leads to insecure passwords.

The only one I would see us not using is the last part about comparing them with online breech databases. For a self-hosted app that likely won't happen as those services tend to cost money.

@DieselTech commented on GitHub (Feb 25, 2023): I would love to see the adoption of the NIST's new password guidelines as a starting point: - User-generated passwords should be at least 8 characters in length. - Users should be able to create passwords at least 64 characters in length. - All ASCII/Unicode characters should be allowed, including emojis and spaces. - Stored passwords should be hashed and salted, and never truncated. The salt SHALL be at least 32 bits in length and be chosen arbitrarily so as to minimize salt value collisions among stored hashes. - Passwords should not expire. - Users should be prevented from using sequential characters (e.g., “1234”) or repeated characters (e.g., “aaaa”). - Two-factor authentication (2FA) should not use SMS for codes. - Knowledge-based authentication (KBA), such as “What was the name of your first pet?”, should not be used. - Users should be allowed 10 failed password attempts before being locked out of a system or service. - Passwords should not have hints. - Complexity requirements — like requiring special characters, numbers or uppercase letters — should not be used. - Context-specific words, such as the name of the service or the individual’s username, should not be permitted. - Prospective passwords should be compared against password breach databases and rejected if there’s a match. The length thing is what will trip up most people. It should be at least 8 but that's it. Enforcing long password "just because" has shown to have the opposite effect. It makes people create gibberish password that aren't actually secure just to get to the limit. Also making them include different characters like A-Z, a-z, 0-9 isn't safe. It just leads to insecure passwords. The only one I would see us not using is the last part about comparing them with online breech databases. For a self-hosted app that likely won't happen as those services tend to cost money.

deekerman commented 2026-02-20 01:13:23 -05:00

Author

Owner

Copy link

@daVinci2793 commented on GitHub (Jun 12, 2023):

It adds some complexity, but a solid compromise between forcing healthy password policies and good security is customizable password policies. A password policy page under settings that allows the admins/root to change the policy would be ideal. That way, users that are hosting but not proxying/forwarding/sharing need not worry.

Additionally, if we copy nextcloud's homework and use their "password database" validator it could be a meaningful addition. The HIBP pwnedpasswords API they are using is free.

@daVinci2793 commented on GitHub (Jun 12, 2023): It adds some complexity, but a solid compromise between forcing healthy password policies and good security is customizable password policies. A password policy page under settings that allows the admins/root to change the policy would be ideal. That way, users that are hosting but not proxying/forwarding/sharing need not worry. Additionally, if we copy nextcloud's homework and use their "password database" validator it could be a meaningful addition. The HIBP pwnedpasswords API they are using is free. 

deekerman commented 2026-02-20 01:13:24 -05:00

Author

Owner

Copy link

@daVinci2793 commented on GitHub (Jun 12, 2023):

https://haveibeenpwned.com/Passwords

It's actually pretty awesome, and if you dev tools the request, it's very simple.

@daVinci2793 commented on GitHub (Jun 12, 2023): https://haveibeenpwned.com/Passwords It's actually pretty awesome, and if you dev tools the request, it's very simple.

deekerman commented 2026-02-20 01:13:24 -05:00

Author

Owner

Copy link

@skyzuma commented on GitHub (Jun 30, 2023):

any progressions?

@skyzuma commented on GitHub (Jun 30, 2023): any progressions?

deekerman commented 2026-02-20 01:13:24 -05:00

Author

Owner

Copy link

@nichwall commented on GitHub (Dec 9, 2023):

Could this be handled by using OIDC for SSO (or other authentication methods if added) instead of requiring ABS to enforce password policies?
https://github.com/advplyr/audiobookshelf/issues/998

@nichwall commented on GitHub (Dec 9, 2023): Could this be handled by using OIDC for SSO (or other authentication methods if added) instead of requiring ABS to enforce password policies? https://github.com/advplyr/audiobookshelf/issues/998

deekerman commented 2026-02-20 01:13:25 -05:00

Author

Owner

Copy link

@Sapd commented on GitHub (Jan 25, 2024):

@nichwall

Could this be handled by using OIDC for SSO (or other authentication methods if added) instead of requiring ABS to enforce password policies? #998

Yes every Identity Provider should be able to configure that properly, some even have very advanced features as mentioned above (like comparing with haveibeenpwned etc.). I think complexity wise it only makes sense that ABS has simple rules (like min. amount of characters), and for more advanced use cases people should configure OIDC and disable local auth.

@Sapd commented on GitHub (Jan 25, 2024): @nichwall > Could this be handled by using OIDC for SSO (or other authentication methods if added) instead of requiring ABS to enforce password policies? #998 Yes every Identity Provider should be able to configure that properly, some even have very advanced features as mentioned above (like comparing with haveibeenpwned etc.). I think complexity wise it only makes sense that ABS has simple rules (like min. amount of characters), and for more advanced use cases people should configure OIDC and disable local auth.

deekerman commented 2026-02-20 01:13:25 -05:00

Author

Owner

Copy link

@kulps commented on GitHub (Aug 17, 2025):

I hope there's a way to enable MFA at the very least, though adopting NIST's guidelines as DieselTech suggested is also great.

@kulps commented on GitHub (Aug 17, 2025): I hope there's a way to enable MFA at the very least, though adopting NIST's guidelines as DieselTech suggested is also great.

deekerman commented 2026-02-20 01:13:25 -05:00

Author

Owner

Copy link

@Vito0912 commented on GitHub (Aug 18, 2025):

MFA/2FA currently is not planned to be added. See https://github.com/advplyr/audiobookshelf/issues/4480

You can do this via OIDC though

@Vito0912 commented on GitHub (Aug 18, 2025): MFA/2FA currently is not planned to be added. See https://github.com/advplyr/audiobookshelf/issues/4480 You can do this via OIDC though

deekerman commented 2026-02-20 01:13:25 -05:00

Author

Owner

Copy link

@kulps commented on GitHub (Aug 18, 2025):

Thanks for confirming. It's too bad, but I appreciate knowing.

@kulps commented on GitHub (Aug 18, 2025): Thanks for confirming. It's too bad, but I appreciate knowing.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

book_tags_genres_dedupe

episode_download_fallback

Issue-4540-SortBy-StartedDate-and-FinishedDate

episode_meta_tagging

fix_authorize_race_condition

redirect_transcode_requests

progress_updated_sort

fix_ereader_socket_event

fix_change_empty_root_password

fix_podcast_session_track_index

fix_set_token

session_modal_user

localize_durations

fix_oidc_create_user

jwt_auth_refactor

fix_scanner_deleting_single_file_books

fix_mediaprogress_updatedat_2

experimental_next_client

podcast_episode_duration

episode-timestamps-clickable

book_author_secondary_sort_title

podcast_useragents

pathexists_user_access

fix_pathexists_join

book_author_secondary_sort

clean_duplicate_mediaprogress

sanitize_html_description

trix_prevent_attachments

check_path_api_fix

fix_mediaprogress_updatedat

increase_express_json_limit

fix_dockerfile_nunicode

search_episodes

audiobook_tools_update

episode_secondary_sorts

hls_stream_url_update

new_session_track_endpoint

audiobook_tools_enhancements

watcher_rescans_update

player_track_tooltip

fix_exclude_prefixes_crash

socket_item_events

fix_podcast_episode_scanner_promise

new_stats_controller

count_cache_for_userpermissions

parsing-opf-v3

validate_migration_files

fix-quick-match-all-crash

fix-chapter-end-sleep-timer

stringify_sequelize_query

remove-col-ambiguity

fix_next_prev_edit_description

details_trim_whitespace

fix_content_url_basepath

fix_logger_fatal

progress_bar_visibility

batch-edit-populate-map-details

feed_generator_updates

bookmark-modal-updates

migrate-library-item-in-scanner

migrate-new-library-items

migrate-podcasts-new-library-item-2

migrate-podcasts-new-library-item

fix-remove-episode-from-playlist

playback-session-use-new-library-item

refactor-library-item

fix-heatmap-caption

feed-episodes-upsert

share-media-player-media-session-api

remove-old-playlist

remove_old_collection_object

plugin-implementation-demo

feed_migration

refactor-feeds-from-item

fix_remove_authors_no_books

v2.17.3-fk-constraints-migration

migrations-first-upgrade

sqlite_2

feature/nuxt-target-server

waveform

sqlite

playlists

video

v2.32.1

v2.32.0

v2.31.0

v2.30.0

v2.29.0

v2.28.0

v2.27.0

v2.26.3

v2.26.2

v2.26.1

v2.26.0

v2.25.1

v2.25.0

v2.24.0

v2.23.0

v2.22.0

v2.21.0

v2.20.0

v2.19.5

v2.19.4

v2.19.3

v2.19.2

v2.19.1

v2.19.0

v2.18.1

v2.18.0

v2.17.7

v2.17.6

v2.17.5

v2.17.4

v2.17.3

v2.17.2

v2.17.1

v2.17.0

v2.16.2

v2.16.1

v2.16.0

v2.15.1

v2.15.0

v2.14.0

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.0

v2.10.1

v2.10.0

v2.9.0

v2.8.1

v2.8.0

v2.7.2

v2.7.1

v2.7.0

v2.6.0

v2.5.0

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.23

v2.2.22

v2.2.21

v2.2.20

v2.2.19

v2.2.18

v2.2.17

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.9

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.24

v2.0.23

v2.0.22

v2.0.21

v2.0.20

v2.0.19

v2.0.18

v2.0.17

v2.0.16

v2.0.15

v2.0.14

v2.0.13

v2.0.12

v2.0.11

v2.0.10

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.5

v1.5.0

v1.4.11

v1.4.9

v1.4.7

v1.4.6

v1.4.4

v1.4.2

v1.4.1

v1.4.0

v1.3.4

v1.3.3

v1.3.1

v1.2.8

v1.2.6

v1.2.5

v1.2.4

v1.2.1

v1.1.15

v1.1.14

v1.1.13

v1.1.12

v1.1.11

v1.1.10

v1.1.9

v1.1.8

v1.0.0

0.9.61-beta.0

0.9.61-beta

Labels

Clear labels   

authentication

  

awaiting release

  

backlog

  

bug

  

chapter editor

  

config-issue

  

ebooks

  

encoding/embedding

  

enhancement

  

help wanted

  

listening sessions & progress

  

planned

  

possible plugin

  

progress sync

  

sorting/filtering/searching

  

unable to reproduce

  

upload

  

users & permissions

  

waiting

No labels

authentication

awaiting release

backlog

bug

chapter editor

config-issue

ebooks

encoding/embedding

enhancement

help wanted

listening sessions & progress

planned

possible plugin

progress sync

sorting/filtering/searching

unable to reproduce

upload

users & permissions

waiting

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/audiobookshelf#997

No description provided.