Page MenuHomePhabricator

Verify that VCS Password does not match LDAP Password
Closed, WontfixPublic

Description

The VCS Password exists in phabricator to prevent users from exposing their sensitive credentials when running git commands or on the phabricator server itself (e.g. in the output of ps aux). It would be great if when a user sets their VCS Password phabricator would check the new password and make sure it does not match the LDAP password (try to do an LDAP auth). If it does match, prevent the user from setting the VCS Password.

Event Timeline

epriestley added a subscriber: epriestley.
epriestley triaged this task as Wishlist priority.

This is via discussion on IRC, but the request captures it pretty well.

We already check against the Phabricator password, but could additionally check against other password-based authentication sources.

epriestley moved this task from Backlog to Future on the Feature Request board.Feb 20 2016, 12:36 PM
epriestley closed this task as Wontfix.Dec 12 2018, 7:45 PM
epriestley claimed this task.

Password management is in good shape after T13043 , and this would now be fairly easy to implement in a general way by adding a check in PhabricatorAuthPasswordEngine->isUniquePassword().

There's currently no modularity around password engines and this request generally feels like a large amount of complexity for a very marginal benefit -- requiring unique passwords is relatively marginal in the first place. I don't think the complexity is worthwhile, and we don't have any adjacent requests to help justify the complexity, so I'm not inclined to pursue it in the upstream.