Please remove complexity requirements from passwords since its officially not recommended by NIST #6759
Description
📑 I have found these related issues/pull requests
🔖 Feature description
NIST no longer recommends that passwords require special characters and numbers.
Note: the 15 character length is a recommendation and not mandatory to implement
To my specific issue, I noticed when boostrapping through ENV variables with UPTIME_KUMA_ADMIN_PASSWORD=mysimplepassword the password is flagged as not secure, which means bootstrapping compose files break.
During testing and bootstrapping stacks, placeholder passwords are often used and it is frustrating having to work around irrelevant requirements.
✔️ Solution
When I set a password for a user or administrator, I expect plain passwords (without numbers, symbols or other special characters) to be accepted as valid passwords.
When I set a password that does not meet some requirements, I expect to be issued a warning, and be allowed to overrule the warning.
If an algorithm is used to perform password complexity validations, I would like the ability to select my own and/or disable the complexity validation entirely (A disclaimer accepting the risk is fine)
I would like these changes to apply from initial setup, including UPTIME_KUMA_ADMIN_PASSWORD env variable values,
❓ Alternatives
I have considered disabling Auth as recommended in #852 which negates the necesity of strong passwords, but also negates any auth, which is undesirable and generally poor guidance.
📝 Additional Context
Quoted from https://pages.nist.gov/800-63-4/sp800-63b.html#password-authenticators
Password Authenticators
Passwords SHALL either be chosen by the subscriber or assigned randomly by the CSP.
If the CSP disallows a chosen password because it is on a blocklist of commonly used, expected, or compromised values (see Sec. 3.1.1.2), the subscriber SHALL be required to choose a different password. Other composition requirements for passwords SHALL NOT be imposed. A rationale for this is presented in Appendix A, Strength of Passwords.