UserAutentication Password Complexity and History (Bugzilla Bug 4709)

[tianocore-issues]

This issue was created automatically with bugzilla2github

Bugzilla Bug 4709

Date: 2024-02-23T13:21:43+00:00
From: @jkmathews
To: @nate-desimone
CC: @lgao4

Last updated: 2024-03-05T21:51:46+00:00

[tianocore-issues]

Comment 22645

Date: 2024-02-23 13:21:43 +0000
From: @jkmathews

• Industry Specification: ---
• Release Observed: edk2-stable202302
• Releases to Fix: EDK II Master
• Target OS: ---
• Bugzilla Assignee(s): @nate-desimone

Recommend considering stronger password requirements.

IsPasswordStrong() checks for password complexity requirements. As shown below, it does bare minimal checking for existence of uppercase, lowercase, numeral, and symbol. A password with repeating characters would be an acceptable password, such as 1!Aaaaaa.

IsPasswordInHistory() checks if the password hash of the password being entered matches the hash of the previous 5 passwords.

edk2-platforms/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c

Line 383 in 7f42d40

IsPasswordInHistory (

edk2-platforms/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c

Line 336 in 7f42d40

IsPasswordStrong (

[tianocore-issues]

Comment 22701

Date: 2024-03-05 21:51:46 +0000
From: @lgao4

[email protected]: please check it.