From 8891595554db42e76086b4ce34daf522ab17e8f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolai=20S=C3=B8borg?= Date: Thu, 15 Sep 2022 12:44:45 +0200 Subject: [PATCH] Simplify password requirements MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A strong password is not necessary complex (https://xkcd.com/936/). Having arbitrary password requirements is a bit of a pain - we should rather push for 2FA / passwordless auth. I don't think this is a breaking change as it only change a "SHOULD" sentence. Any mismatch between clients / servers should still be 'spec complient' within the old text. ECP = Enforce Complex Password Client ECP - Server ECP: ✅ Client ECP - Server not-ECP: ✅ Client not-ECP - Server not-ECP: ✅ Client not-ECP - Server ECP: Potentially `M_WEAK_PASSWORD` which the client should already be able to handle. This change will probably make it easier to implement [MSC2000](https://github.com/matrix-org/matrix-spec-proposals/pull/2000/) --- content/client-server-api/_index.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/content/client-server-api/_index.md b/content/client-server-api/_index.md index 3d80c849..2b4d7f4d 100644 --- a/content/client-server-api/_index.md +++ b/content/client-server-api/_index.md @@ -1203,9 +1203,8 @@ forwarded to the login endpoint during the login process. For example: #### Notes on password management {{% boxes/warning %}} -Clients SHOULD enforce that the password provided is suitably complex. -The password SHOULD include a lower-case letter, an upper-case letter, a -number and a symbol and be at a minimum 8 characters in length. Servers +Clients SHOULD enforce that the password provided is suitably strong. +The password SHOULD be at a minimum 8 characters in length. Servers MAY reject weak passwords with an error code `M_WEAK_PASSWORD`. {{% /boxes/warning %}}