coder · kylecarbs · Feb 8, 2023 · Feb 7, 2023 · Feb 7, 2023 · Feb 7, 2023
diff --git a/cli/login.go b/cli/login.go
@@ -19,6 +19,7 @@ import (
 
 	"github.com/coder/coder/cli/cliflag"
 	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/userpassword"
 	"github.com/coder/coder/codersdk"
 )
 
@@ -152,16 +153,19 @@ func login() *cobra.Command {
 
 					for !matching {
 						password, err = cliui.Prompt(cmd, cliui.PromptOptions{
-							Text:     "Enter a " + cliui.Styles.Field.Render("password") + ":",
-							Secret:   true,
-							Validate: cliui.ValidateNotEmpty,
+							Text:   "Enter a " + cliui.Styles.Field.Render("password") + ":",
+							Secret: true,
+							Validate: func(s string) error {
+								return userpassword.Validate(s)
+							},
 						})
 						if err != nil {
 							return xerrors.Errorf("specify password prompt: %w", err)
 						}
 						confirm, err := cliui.Prompt(cmd, cliui.PromptOptions{
-							Text:   "Confirm " + cliui.Styles.Field.Render("password") + ":",
-							Secret: true,
+							Text:     "Confirm " + cliui.Styles.Field.Render("password") + ":",
+							Secret:   true,
+							Validate: cliui.ValidateNotEmpty,
 						})
 						if err != nil {
 							return xerrors.Errorf("confirm password prompt: %w", err)

diff --git a/cli/login_test.go b/cli/login_test.go
@@ -54,8 +54,8 @@ func TestLogin(t *testing.T) {
 			"first user?", "yes",
 			"username", "testuser",
 			"email", "user@coder.com",
-			"password", "password",
-			"password", "password", // Confirm.
+			"password", "SomeSecurePassword!",
+			"password", "SomeSecurePassword!", // Confirm.
 			"trial", "yes",
 		}
 		for i := 0; i < len(matches); i += 2 {
@@ -89,8 +89,8 @@ func TestLogin(t *testing.T) {
 			"first user?", "yes",
 			"username", "testuser",
 			"email", "user@coder.com",
-			"password", "password",
-			"password", "password", // Confirm.
+			"password", "SomeSecurePassword!",
+			"password", "SomeSecurePassword!", // Confirm.
 			"trial", "yes",
 		}
 		for i := 0; i < len(matches); i += 2 {
@@ -107,7 +107,7 @@ func TestLogin(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, nil)
 		doneChan := make(chan struct{})
-		root, _ := clitest.New(t, "login", client.URL.String(), "--first-user-username", "testuser", "--first-user-email", "user@coder.com", "--first-user-password", "password", "--first-user-trial")
+		root, _ := clitest.New(t, "login", client.URL.String(), "--first-user-username", "testuser", "--first-user-email", "user@coder.com", "--first-user-password", "SomeSecurePassword!", "--first-user-trial")
 		pty := ptytest.New(t)
 		root.SetIn(pty.Input())
 		root.SetOut(pty.Output())
@@ -143,8 +143,8 @@ func TestLogin(t *testing.T) {
 			"first user?", "yes",
 			"username", "testuser",
 			"email", "user@coder.com",
-			"password", "mypass",
-			"password", "wrongpass", // Confirm.
+			"password", "MyFirstSecurePassword!",
+			"password", "MyNonMatchingSecurePassword!", // Confirm.
 		}
 		for i := 0; i < len(matches); i += 2 {
 			match := matches[i]
@@ -157,9 +157,9 @@ func TestLogin(t *testing.T) {
 		pty.ExpectMatch("Passwords do not match")
 		pty.ExpectMatch("Enter a " + cliui.Styles.Field.Render("password"))
 
-		pty.WriteLine("pass")
+		pty.WriteLine("SomeSecurePassword!")
 		pty.ExpectMatch("Confirm")
-		pty.WriteLine("pass")
+		pty.WriteLine("SomeSecurePassword!")
 		pty.ExpectMatch("trial")
 		pty.WriteLine("yes")
 		pty.ExpectMatch("Welcome to Coder")

diff --git a/cli/resetpassword.go b/cli/resetpassword.go
@@ -50,9 +50,11 @@ func resetPassword() *cobra.Command {
 			}
 
 			password, err := cliui.Prompt(cmd, cliui.PromptOptions{
-				Text:     "Enter new " + cliui.Styles.Field.Render("password") + ":",
-				Secret:   true,
-				Validate: cliui.ValidateNotEmpty,
+				Text:   "Enter new " + cliui.Styles.Field.Render("password") + ":",
+				Secret: true,
+				Validate: func(s string) error {
+					return userpassword.Validate(s)
+				},
 			})
 			if err != nil {
 				return xerrors.Errorf("password prompt: %w", err)

diff --git a/cli/resetpassword_test.go b/cli/resetpassword_test.go
@@ -28,8 +28,8 @@ func TestResetPassword(t *testing.T) {
 
 	const email = "some@one.com"
 	const username = "example"
-	const oldPassword = "password"
-	const newPassword = "password2"
+	const oldPassword = "MyOldPassword!"
+	const newPassword = "MyNewPassword!"
 
 	// start postgres and coder server processes
 

diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -428,7 +428,7 @@ func NewExternalProvisionerDaemon(t *testing.T, client *codersdk.Client, org uui
 var FirstUserParams = codersdk.CreateFirstUserRequest{
 	Email:    "testuser@coder.com",
 	Username: "testuser",
-	Password: "testpass",
+	Password: "SomeSecurePassword!",
 }
 
 // CreateFirstUser creates a user with preset credentials and authenticates
@@ -455,7 +455,7 @@ func createAnotherUserRetry(t *testing.T, client *codersdk.Client, organizationI
 	req := codersdk.CreateUserRequest{
 		Email:          namesgenerator.GetRandomName(10) + "@coder.com",
 		Username:       randomUsername(),
-		Password:       "testpass",
+		Password:       "SomeSecurePassword!",
 		OrganizationID: organizationID,
 	}
 

diff --git a/coderd/userpassword/userpassword.go b/coderd/userpassword/userpassword.go
@@ -10,6 +10,7 @@ import (
 	"strconv"
 	"strings"
 
+	passwordvalidator "github.com/wagslane/go-password-validator"
 	"golang.org/x/crypto/pbkdf2"
 	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
@@ -125,15 +126,14 @@ func hashWithSaltAndIter(password string, salt []byte, iter int) string {
 // Validate checks that the plain text password meets the minimum password requirements.
 // It returns properly formatted errors for detailed form validation on the client.
 func Validate(password string) error {
-	const (
-		minLength = 8
-		maxLength = 64
-	)
-	if len(password) < minLength {
-		return xerrors.Errorf("Password must be at least %d characters.", minLength)
+	// Ensure passwords are secure enough!
+	// See: https://github.com/wagslane/go-password-validator#what-entropy-value-should-i-use
+	err := passwordvalidator.Validate(password, 52)
+	if err != nil {
+		return err
 	}
-	if len(password) > maxLength {
-		return xerrors.Errorf("Password must be no more than %d characters.", maxLength)
+	if len(password) > 64 {
+		return xerrors.Errorf("password must be no more than %d characters", 64)
 	}
 	return nil
 }
diff --git a/coderd/users.go b/coderd/users.go
@@ -105,6 +105,18 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	err = userpassword.Validate(createUser.Password)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Password not strong enough!",
+			Validations: []codersdk.ValidationError{{
+				Field:  "password",
+				Detail: err.Error(),
+			}},
+		})
+		return
+	}
+
 	user, organizationID, err := api.CreateUser(ctx, api.Database, CreateUserRequest{
 		CreateUserRequest: codersdk.CreateUserRequest{
 			Email:    createUser.Email,
@@ -316,6 +328,18 @@ func (api *API) postUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	err = userpassword.Validate(req.Password)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Password not strong enough!",
+			Validations: []codersdk.ValidationError{{
+				Field:  "password",
+				Detail: err.Error(),
+			}},
+		})
+		return
+	}
+
 	user, _, err := api.CreateUser(ctx, api.Database, CreateUserRequest{
 		CreateUserRequest: req,
 		LoginType:         database.LoginTypePassword,