It should be possible to configure password policies through ezuser fields definitions.
|Minimum password length||number||8|
|Require at least one uppercase letter||checkbox||checked|
|Require at least one lowercase letter||checkbox||checked|
|Require at least one number||checkbox||checked|
|Require at least one nonalphanumeric character||checkbox||checked|
As an alternative to the above, a (perl compatible) regular expression can be entered. When it is, the "simple" constraints in the previous chapter are disabled (greyed out), and not applied. The regular expression's validity must be tested when the form is submitted.
Independently of the chosen validation method, an input field sets the validation error message shown when the constraints aren't met.
Validation should happen in all contexts where a user password can be set:
- User register
- User edit
- Change password (user profile, up v2.1)
- REST API
- Public API
Existing installations shouldn't have any of those options enabled. It can be detected in the converter / fieldtype, since the configuration for them won't exist in the database.
New installations should have the defaults indicated above, prestored in the default user_account field definition.