Password Validation

It is common for passwords to have a set of requirements. The most obvious requirement being a minimum length, but another common requirement is for the password to at least include a certain amount of characters of a certain category, like uppercase and lowercase alphabetic characters, numbers and/or other special characters. Though, nowadays, this last type of requirement is discouraged by security experts.

This module provides an API which enables you to set up your own PasswordPolicy to validate the format of Passwords.

Recommendations by the NIST

For policy recommendations and more, look to the following publication by the National Institute of Standards and Technology (especially the addendum): https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

A short summary:

• Enforcing inclusion of specific character types (like special characters, numbers, lowercase and uppercase letters) actually makes passwords less secure.
• The length of a password is the most important factor, so let users make their passwords as lengthy as they want, within reason. (keep in mind some algorithms have length limitations, like bcrypt's 72 character limit)
• Do allow spaces so users can use sentences for passwords.
• Showing the "strength" of user's passwords is advised. A good algorithm to use is zxcvbn.
• The best way to mitigate online attacks is to limit the rate of login attempts.

Password Policies

The most important part is to have a valid and robust PasswordPolicy.

A defaultPasswordPolicy_ is provided to quickly set up a NIST recommended validation of passwords, but you can also adjust it, or just create your own.

Just remember that a PasswordPolicy must be validated first to make sure it is actually a ValidPasswordPolicy. Otherwise, you'd never be able to validate any given Passwords.

Example usage

So let's say we're fine with the default policy, which requires the password to be between 8-64 characters, and doesn't enforce any specific character category usage, then our function would look like the following:

myValidateFunc :: Password -> Bool
myValidateFunc = isValidPassword defaultPasswordPolicy_

Custom policies

But, for example, if you'd like to enforce that a Password includes at least one special character, and be at least 12 characters long, you'll have to make your own PasswordPolicy.

customPolicy :: PasswordPolicy
customPolicy =
  defaultPasswordPolicy
    { minimumLength = 12
    , specialChars = 1
    }

This custom policy will then have to be validated first, so it can be used to validate Passwords further on.

Template Haskell

The easiest way to validate a custom PasswordPolicy is by using a Template Haskell splice. Just turn on the {-# LANGUAGE TemplateHaskell #-} pragma, pass your policy to validatePasswordPolicyTH, surround it by $(...) and if it compiles it will be a ValidPasswordPolicy.

customValidPolicy :: ValidPasswordPolicy
customValidPolicy = $(validatePasswordPolicyTH customPolicy)

NB: any custom CharSetPredicate will be ignored by validatePasswordPolicyTH and replaced with the defaultCharSetPredicate. So if you want to use your own CharSetPredicate, you won't be able to validate your policy using validatePasswordPolicyTH. Most users, however, will find defaultCharSetPredicate to be sufficient.

At runtime

Another way of validating your custom policy is validatePasswordPolicy. In an application, this might be implemented in the following way.

main :: IO ()
main =
    case (validatePasswordPolicy customPolicy) of
      Left reasons -> error $ show reasons
      Right validPolicy -> app `runReaderT` validPolicy

customValidateFunc :: Password -> ReaderT ValidPasswordPolicy IO Bool
customValidateFunc pwd = do
    policy <- ask
    return $ isValidPassword policy pwd

Let's get dangerous

Or, if you like living on the edge, you could also just match on Right. I hope you're certain your policy is valid, though. So please have at least a unit test to verify that passing your PasswordPolicy to validatePasswordPolicy actually returns a Right.

Right validPolicy = validatePasswordPolicy customPolicy

customValidateFunc :: Password -> Bool
customValidateFunc = isValidPassword validPolicy

The main function of this module is probably isValidPassword, as it is simple and straightforward.

Though if you'd want to know why a Password failed to validate, because you'd maybe like to communicate those InvalidReasons back to the user, validatePassword is here to help you out.

A PasswordPolicy has to be validated before it can be used to validate a Password. This is done using validatePasswordPolicy or validatePasswordPolicyTH.

Next to the obvious lower and upper bounds for the length of a Password, a PasswordPolicy can dictate how many lowercase letters, uppercase letters, digits and/or special characters are minimally required to be used in the Password to be considered a valid Password.

An observant user might have also seen that a PasswordPolicy includes a CharSetPredicate. Very few users will want to change this from the defaultCharSetPredicate, since this includes all non-control ASCII characters.

If, for some reason, you'd like to accept more characters (e.g. é, ø, か, 事) or maybe you want to only allow alpha-numeric characters, charSetPredicate is the place to do so.

These are used in the test suite. You should not need these.

These are basically internal functions and as such have NO guarantee (NONE) to be consistent between releases.