From 75b1bd015c4d59755eceec81d2b6d1ff0ed0761a Mon Sep 17 00:00:00 2001 From: Joao Lima Date: Sat, 14 Mar 2026 21:53:16 +0100 Subject: [PATCH] feat: enforce minimum password length of 8 characters with warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The $GEN password generator previously allowed passwords as short as 4 characters. This raises the minimum to 8 (NIST SP 800-63B) and logs a warning when the requested length is below minimum, so users with legacy system constraints see what happened. Changes: - Raise minimum from 4 to 8 for rand algorithm - Log warning when requested length is clamped - Update help text examples to use $GEN (default length 20) - Fix typo in help text (algorith → algorithm) - Document character types included by default The default length (20) and maximum (200) are unchanged. The dice and crypto algorithms are unaffected. --- keepercommander/commands/record_edit.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/keepercommander/commands/record_edit.py b/keepercommander/commands/record_edit.py index 87676deff..63c9ab4e7 100644 --- a/keepercommander/commands/record_edit.py +++ b/keepercommander/commands/record_edit.py @@ -183,8 +183,10 @@ Value Field type Description Example ==================== =============== =================== ============== $GEN:[alg],[n] password Generates a random password $GEN:dice,5 - Default algorith is rand alg: [rand | dice | crypto] - Optional: password length + Default algorithm is rand alg: [rand | dice | crypto] + Optional: length (min 8) $GEN or $GEN:rand,24 + Includes upper, lower, + digits, and symbols $GEN oneTimeCode Generates TOTP URL $GEN:[alg,][enc] keyPair Generates a key pair and $GEN:ec,enc optional passcode alg: [rsa | ec | ed25519], enc @@ -205,8 +207,8 @@ pam config new --environment=local --title=config1 --gateway=gateway1 -sf=SHARED_FOLDER_UID \ --connections=on --tunneling=on --rotation=on --remote-browser-isolation=on -record-add --folder=SHARED_FOLDER_UID --title=admin1 -rt=pamUser login=admin1 password="$GEN:rand,16" -record-add --folder=SHARED_FOLDER_UID --title=user1 -rt=pamUser login=user1 password="$GEN:rand,16" +record-add --folder=SHARED_FOLDER_UID --title=admin1 -rt=pamUser login=admin1 password="$GEN" +record-add --folder=SHARED_FOLDER_UID --title=user1 -rt=pamUser login=user1 password="$GEN" record-add --folder=SHARED_FOLDER_UID --title=machine1 -rt=pamMachine \ pamHostname="$JSON:{\"hostName\": \"127.0.0.1\", \"port\": \"22\"}" @@ -416,8 +418,9 @@ def generate_password(parameters=None): # type: (Optional[Sequence[str]]) -> s gen = generator.DicewarePasswordGenerator(length) else: if isinstance(length, int): - if length < 4: - length = 4 + if length < 8: + logging.warning('Password length %d is below minimum 8. Using 8.', length) + length = 8 elif length > 200: length = 200 else: