blueprints: add default Password policy

authentik/policies/password/models.py

@@ -89,6 +89,10 @@
 
     def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult:
         """Check static rules"""
+        error_message = self.error_message
+        if error_message == "":
+            error_message = _("Invalid password.")
+
         if len(password) < self.length_min:
             LOGGER.debug("password failed", check="static", reason="length")
             return PolicyResult(False, self.error_message)

blueprints/default/flow-password-change.yaml

@@ -11,6 +11,16 @@ entries:
     slug: default-password-change
   model: authentik_flows.flow
   id: flow
+- attrs:
+    check_static_rules: true
+    check_zxcvbn: true
+    length_min: 8
+    password_field: password
+    zxcvbn_score_threshold: 2
+  identifiers:
+    name: default-password-change-password-policy
+  id: default-password-change-password-policy
+  model: authentik_policies_password.passwordpolicy
 - attrs:
     order: 300
     placeholder: Password
@@ -39,6 +49,8 @@ entries:
     fields:
     - !KeyOf prompt-field-password
     - !KeyOf prompt-field-password-repeat
+    validation_policies:
+    - !KeyOf default-password-change-password-policy
   identifiers:
     name: default-password-change-prompt
   id: default-password-change-prompt

website/docs/customize/policies/index.md

@@ -32,6 +32,10 @@ This policy can enforce regular password rotation by expiring set passwords afte
 
 ### Password Policy
 
+:::warning
+This policy enables options that violate [NIST's recommendations](https://pages.nist.gov/800-63-4/sp800-63b.html#password) for passwords. To comply with the recommendations, use authentik's default Password policy. See [Hardening authentik](../../security/security-hardening.md#password-policy) for additional hardening.
+:::
+
 This policy allows you to specify password rules, such as length and required characters.
 The following rules can be set:
 

website/docs/security/security-hardening.md

@@ -4,6 +4,17 @@ title: Hardening authentik
 
 While authentik is secure out of the box, you can take steps to further increase the security of an authentik instance. As everyone knows, there is a consequential tradeoff between security and convenience. All of these hardening practices have an impact on the user experience and should only be applied knowing this tradeoff.
 
+### Password policy
+
+authentik's default Password policy complies with the [NIST SP 800-63 Digital Identity Guidelines](https://pages.nist.gov/800-63-4/sp800-63b.html#password).
+
+However, for further hardening compliant to the NIST Guidelines, consider
+
+-   setting the length of the password to a minimum of 15 characters, and
+-   enabling the "Check haveibeenpwned.com" blocklist comparison
+
+For further options, see [Password policy](../customize/policies/index.md#password-policy).
+
 ### Expressions
 
 [Expressions](../customize/policies/expression.mdx) allow super-users and other highly privileged users to create custom logic within authentik to modify its behaviour. Editing/creating these expressions is, by default, limited to super-users and any related events are fully logged.