From 47b7e667647e32260aa253a62a26bdad9d2de409 Mon Sep 17 00:00:00 2001
From: Shannon Sterz <s.sterz@proxmox.com>
Date: Fri, 4 Oct 2024 15:32:05 +0200
Subject: [PATCH] api: enforce a minimum length of 8 on new passwords

when creating new users or updating existing passwords this new
minimum is enforced which aligns with NIST's latest recommendations
[1].

[1]: https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 src/PVE/API2/AccessControl.pm | 2 +-
 src/PVE/API2/User.pm          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index ee0775a..a984e7c 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -345,7 +345,7 @@ __PACKAGE__->register_method ({
 	    password => {
 		description => "The new password.",
 		type => 'string',
-		minLength => 5,
+		minLength => 8,
 		maxLength => 64,
 	    },
 	    'confirmation-password' => $PVE::API2::TFA::OPTIONAL_PASSWORD_SCHEMA,
diff --git a/src/PVE/API2/User.pm b/src/PVE/API2/User.pm
index 489d34f..535e58e 100644
--- a/src/PVE/API2/User.pm
+++ b/src/PVE/API2/User.pm
@@ -272,7 +272,7 @@ __PACKAGE__->register_method ({
 		description => "Initial password.",
 		type => 'string',
 		optional => 1,
-		minLength => 5,
+		minLength => 8,
 		maxLength => 64
 	    },
 	    groups => get_standard_option('group-list'),