api: enforce a minimum length of 8 on new passwords

when creating new users or updating existing passwords this new minimum is enforced which aligns with NIST's latest recommendations [1]. [1]: https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
2025-10-04 00:02:57 +00:00 · 2024-10-04 15:32:05 +02:00 · 2024-10-04 15:32:05 +02:00 · 47b7e66764
commit 47b7e66764
parent 84599db265
2 changed files with 2 additions and 2 deletions
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@ -345,7 +345,7 @@ __PACKAGE__->register_method ({
 	    password => {
 		description => "The new password.",
 		type => 'string',
-		minLength => 5,
+		minLength => 8,
 		maxLength => 64,
 	    },
 	    'confirmation-password' => $PVE::API2::TFA::OPTIONAL_PASSWORD_SCHEMA,
--- a/src/PVE/API2/User.pm
+++ b/src/PVE/API2/User.pm
@ -272,7 +272,7 @@ __PACKAGE__->register_method ({
 		description => "Initial password.",
 		type => 'string',
 		optional => 1,
-		minLength => 5,
+		minLength => 8,
 		maxLength => 64
 	    },
 	    groups => get_standard_option('group-list'),