Guacamole currently lacks support for enforcement of password policies within the existing authentication backends. This is not relevant for the backends which are read-only, but definitely makes a difference for the database authentication.
We should provide password policies in line with current de facto standards. Specifically, the following restrictions need to be supported:
- Minimum password age (how long before the password CAN be changed)
- Maximum password age (how long before the password MUST be changed)
- Minimum password length
- Minimum number of character classes:
- Must not containing the username
- Must not match last N passwords