0

This answer from @Huhngut provides a succinct way to test the strength of passwords using the express-validator method isStrongPassword(). For example:

body('password').isStrongPassword({
  minLength: 12,
  minLowercase: 1,
  minUppercase: 1,
  minNumbers: 1,
  minSymbols: 1,
})

However this code above allows me to enter anything into the password field which makes me concerned that could pose a security risk. I would like to ask:

  1. Which non-alphanumeric characters should be allowed?
  2. Is there a preferred express-validator method for implementing allowable characters e.g. .matches()/.whitelist()etc.
  3. Is there a recommended maximum length for passwords, and how should that be implemented since .isStrongPassword() doesn't have a maximum length option?

More generally I am trying to find the best practice for implementing logic within express-validator and node.js that minimizes the risk to my server while enforcing strong passwords.

stanley
  • 414
  • 5
  • 14
  • 2
    This may be a controversial topic, but classic industry password strength standards foster insecure passwords. I'm not sure what Express uses specifically these days, but this should give a proper answer https://security.stackexchange.com/a/3924. – OFRBG Oct 21 '22 at 02:34
  • 2
    This information is best provided from an authoritative source, such as the National Institute of Standards and Technology. As of today, this is current recommendation for [Digital Identity Guidelines: Authentication and Lifecycle Management](https://doi.org/10.6028/NIST.SP.800-63b). In the future, please visit the [publication webpage](https://www.nist.gov/publications/digital-identity-guidelines-authentication-and-lifecycle-management) for the latest revision. – David Moruzzi Oct 21 '22 at 02:42

0 Answers0