Bug: Minimum password requirement is less than 12 characters

[dbaidya9006]

Describe the bug

ASVS 2.1.1 (Verify that user set passwords are at least 12 characters in length (after multiple spaces are combined).

CWE-521 (Weak Password Requirements)

OpenEMR accepts passwords 9 characters or greater, creating a conflict with the ASVS requirement above.

To Reproduce

When creating a new user:

1. Open OpenEMR and login using username: admin and password: pass.
2. Hover over Admin in the top menu bar.
3. While hovering over Admin, click on Users.
4. Select “Add User”
5. The following are the requirements for the field inputs:
6. Username: test1
7. Password: choose an 11-character string such as: “Testing123!”
8. Your Password: pass
9. First Name: Test
10. Last Name: User
11. Access Control: Clinicians
12. Click Save.

When changing password:

1. Open OpenEMR and log in.
2. Click on the profile icon at top-right and choose “Change Password.”
3. Change password to an 11-character string such as: “Testing123!"
4. Click “Save Changes.”

Expected behavior

Passwords set when creating a user or changing a password that are less than 12-characters should not be accepted.

Client configuration

Browser: Firefox 124.0.2 (64-bit)
OpenEMR version: v7.0.2
Operating system: Windows 11

Client configuration

• Browser:
• OpenEMR version:
• Operating system: