Appears that recent versions of fleetctl now enforce user password requirements, which I believe did not used to be the case. FleetDM currently requires min 12 chars + 1 number + 1 special. Is there any way to customize the user password requirements?

Complex passwords

(ie requiring mixed character types) as a security best practice has been deprecated in favor of minimum password length (as well as a few other controls) by NIST (see section 5.1.1.2 Memorized Secret Verifiers) and the wider InfoSec community for a few years now - and I would like to tweak the complexity requirements for my deployments to be more inline with this.

cc @Guillaume we did this in response to recommendations from a pentest. The requirements used to be 7 chars including 1 number and 1 special. Now it's 12 chars including 1 number and 1 special.

We also have issues open to enforce SSO as well as add 2FA support to Fleet though they haven't been prioritized yet

Ah nice. So per the NIST doc that both your page and I linked to:

When users create and change memorized secrets:
- Clearly communicate information on how to create and change memorized secrets.
- Clearly communicate memorized secret requirements, as specified in Section 5.1.1.
- Allow at least 64 characters in length to support the use of passphrases. Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
- Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.
- Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise. (See Section 5.1.1 for additional information).

The core of the issue is that we should be trying to guide people into using passphrases (with no complexity rules other than minimum length). The other key controls are: • MFA for non-SSO • Rate-limiting (exists already in FleetDM) • Disallow-list check (ie using haveIbeenpwned offline check or something similar) - https://haveibeenpwned.com/Passwords

I am 100% with you on this. The reason we increased it to 12 was to improve the length, and we didn’t change the other requirements so we could have a decent fix ASAP. Then I created issues to enforce SSO if desired as well as for MFA for non-SSO, which I would love to get a few external comments on 🙂 https://github.com/fleetdm/fleet/issues/5478 and https://github.com/fleetdm/fleet/issues/4709

I’d go a minimum 12 char no enforced special characters or numbers myself personally, I assume passwords are key stretched appropriately with PDKDF2 or something?

I would also be good with min 12, no enforced special char or numbers. Also added a comment on the MFA issue.