AO3-7260 Increase required password length

config/config.yml

@@ -118,10 +118,10 @@ ICON_COMMENT_MAX: 50
 ICON_SIZE_KB_MAX: 500
 LOGIN_LENGTH_MIN: 3
 LOGIN_LENGTH_MAX: 40
-PASSWORD_LENGTH_MIN: 6
-PASSWORD_LENGTH_MAX: 40
+PASSWORD_LENGTH_MIN: 8
+PASSWORD_LENGTH_MAX: 72
 ADMIN_PASSWORD_LENGTH_MIN: 10
-ADMIN_PASSWORD_LENGTH_MAX: 40
+ADMIN_PASSWORD_LENGTH_MAX: 72
 ADMIN_TOTP_BACKUP_CODE_LENGTH: 16
 ADMIN_TOTP_BACKUP_CODE_COUNT: 10
 

config/locales/views/en.yml

@@ -2766,7 +2766,7 @@ en:
         confirm_password_validation: Please enter the same password in both fields.
         password: Password
         password_requirements: "%{minimum} to %{maximum} characters"
-        password_validation: Please enter a password! (At least %{minimum} letters long, please.)
+        password_validation: Please enter a password! (At least %{minimum} characters long, please.)
         username: Username
         username_requirements: "%{minimum} to %{maximum} characters (A-Z, a-z, _, 0-9 only), no spaces, cannot begin or end with underscore (_)"
         username_validation: You need a username! (At least %{minimum} letters long, please.)

features/users/authenticate_users.feature

@@ -6,7 +6,7 @@ Feature: User Authentication
     Given I have no users
       And the following activated user exists
       | email           | login | password |
-      | sam@example.com | sam   | secret   |
+      | sam@example.com | sam   | secret12 |
       And all emails have been delivered
     When I am on the home page
       And I fill in "Username or email:" with "sam"
@@ -28,7 +28,7 @@ Feature: User Authentication
     # existing password should still work
     When I am on the homepage
       And I fill in "Username or email:" with "sam"
-      And I fill in "Password:" with "secret"
+      And I fill in "Password:" with "secret12"
       And I press "Log In"
     Then I should see "Hi, sam"
 
@@ -44,7 +44,7 @@ Feature: User Authentication
 
     # entering mismatched passwords should produce an error message
     When I fill in "New password" with "secret"
-      And I fill in "Confirm new password" with "newpass"
+      And I fill in "Confirm new password" with "newpass12"
       And I press "Change Password"
     Then I should see "We couldn't save this user because:"
       And I should see "The passwords you entered do not match. Please try again."
@@ -88,7 +88,7 @@ Feature: User Authentication
     Given I have no users
       And the following activated user exists
       | email           | login | password |
-      | sam@example.com | sam   | secret   |
+      | sam@example.com | sam   | secret12 |
       And all emails have been delivered
     When I request a password reset for "sam"
     Then I should see "You must enter your email address."
@@ -99,7 +99,7 @@ Feature: User Authentication
     Given I have no users
       And the following activated user exists
       | email           | login | password |
-      | sam@example.com | sam   | secret   |
+      | sam@example.com | sam   | secret12 |
       And all emails have been delivered
     When I request a password reset for "1@example.com"
     Then I should see "If the email address you entered is currently associated with an AO3 account, you should receive an email with instructions to reset your password."
@@ -127,8 +127,8 @@ Feature: User Authentication
       And 1 email should be delivered to "sam@example.com"
     When I follow "use this link to choose a new password" in the email
       And all emails have been delivered
-      And I fill in "New password" with "newpass"
-      And I fill in "Confirm new password" with "newpass"
+      And I fill in "New password" with "newpass12"
+      And I fill in "Confirm new password" with "newpass12"
       And I press "Change Password"
     Then I should see "Your password has been changed."
       And 1 email should be delivered to "sam"
@@ -146,8 +146,8 @@ Feature: User Authentication
       And 1 email should be delivered
     When I start a new session
       And I follow "use this link to choose a new password" in the email
-      And I fill in "New password" with "newpass"
-      And I fill in "Confirm new password" with "newpass"
+      And I fill in "New password" with "newpass12"
+      And I fill in "Confirm new password" with "newpass12"
       And I press "Change Password"
     Then I should see "Your password has been changed."
       And I should see "Hi, sam"
@@ -164,8 +164,8 @@ Feature: User Authentication
     When it is currently 2 weeks from now
       And I start a new session
       And I follow "use this link to choose a new password" in the email
-      And I fill in "New password" with "newpass"
-      And I fill in "Confirm new password" with "newpass"
+      And I fill in "New password" with "newpass12"
+      And I fill in "Confirm new password" with "newpass12"
       And I press "Change Password"
     Then I should see "We couldn't save this user because:"
       And I should see "Reset password token has expired, please request a new one"
@@ -208,8 +208,8 @@ Feature: User Authentication
     Then I should not see "Password Reset" within "#user_history"
     When I start a new session
       And I follow "use this link to choose a new password" in the email
-      And I fill in "New password" with "newpass"
-      And I fill in "Confirm new password" with "newpass"
+      And I fill in "New password" with "newpass12"
+      And I fill in "Confirm new password" with "newpass12"
       And I press "Change Password"
     Then I should see "Your password has been changed."
     When I am logged in as a super admin
@@ -252,7 +252,7 @@ Feature: User Authentication
     Given I have no users
       And the following activated user exists
       | login    | password |
-      | sam      | secret   |
+      | sam      | secret12 |
       And all emails have been delivered
     When I am on the home page
       And I fill in "Username or email:" with "sammy"
@@ -264,7 +264,7 @@ Feature: User Authentication
     Given I have no users
       And the following activated user exists
       | login    | password |
-      | sam      | secret   |
+      | sam      | secret12 |
       And all emails have been delivered
     When I am on the home page
       And I fill in "Username or email:" with "sam"

features/users/user_create.feature

@@ -19,8 +19,8 @@ Feature: Sign Up for a new account
       | field                                   | value          | error                                           |
       | user_registration_login                 | xx             | Username is too short (minimum is 3 characters)|
       | user_registration_login                 | 87151d8ae964d55515cb986d40394f79ca5c8329c07a8e59f2f783cbfbe401f69a780f27277275b7b2 | Username is too long (maximum is 40 characters)    |
-      | user_registration_password              | pass           | Password is too short (minimum is 6 characters) |
-      | user_registration_password              | 87151d8ae964d55515cb986d40394f79ca5c8329c07a8e59f2f783cbfbe401f69a780f27277275b7b2 | Password is too long (maximum is 40 characters)    |
+      | user_registration_password              | pass           | Password is too short (minimum is 8 characters) |
+      | user_registration_password              | 87151d8ae964d55515cb986d40394f79ca5c8329c07a8e59f2f783cbfbe401f69a780f27277275b7b2eJKL9012 | Password is too long (maximum is 72 characters)    |
       | user_registration_password_confirmation | password2      | The passwords you entered do not match. Please try again.|
       | user_registration_email                 |                | Email should look like an email address         |
       | user_registration_email                 | fake@fake@fake | Email should look like an email address         |

features/users/user_delete.feature

@@ -19,7 +19,7 @@ Scenario: If I delete a user with no works, the user should be deleted without a
     And I should be logged out
 
 Scenario: If a user chooses "Delete Completely" when removing their account,  delete the works associated with that user
-  Given I am logged in as "otheruser" with password "secret"
+  Given I am logged in as "otheruser" with password "secret12"
     And all emails have been delivered
     And I post the work "To be deleted"
   When I try to delete my account as otheruser
@@ -36,7 +36,7 @@ Scenario: If a user chooses "Delete Completely" when removing their account,  de
 
 Scenario: Allow a user to orphan their works when deleting their account
   Given I have an orphan account
-  When I am logged in as "orphaner" with password "secret"
+  When I am logged in as "orphaner" with password "secret12"
     And all emails have been delivered
     And I post the work "To be orphaned"
     And I go to the works page

features/users/user_edit.feature

@@ -40,7 +40,7 @@ Feature:
     Given I have no users
       And the following activated user exists
       | login     | password |
-      | otheruser | secret   |
+      | otheruser | secret12 |
       And I am logged in as "downthemall" with password "password"
     When I visit the change username page for downthemall
       And I fill in "New username" with "otheruser"
@@ -52,7 +52,7 @@ Feature:
     Given I have no users
       And the following activated user exists
       | login     | password |
-      | otheruser | secret   |
+      | otheruser | secret12 |
       And I am logged in as "downthemall" with password "password"
     When I visit the change username page for downthemall
       And I fill in "New username" with "OtherUser"
@@ -124,12 +124,12 @@ Feature:
     Given I have no users
       And the following activated user exists
       | login         | password | id |
-      | oldusername   | secret   | 1  |
+      | oldusername   | secret12 | 1  |
       And a pseud exists with name: "newusername", user_id: 1
-      And I am logged in as "oldusername" with password "secret"
+      And I am logged in as "oldusername" with password "secret12"
     When I visit the change username page for oldusername
       And I fill in "New username" with "newusername"
-      And I fill in "Password" with "secret"
+      And I fill in "Password" with "secret12"
       And I press "Change Username"
     Then I should get confirmation that I changed my username
       And I should see "Hi, newusername"
@@ -247,12 +247,12 @@ Feature:
       Given I have no users
         And the following activated user exists
           | login     | password |
-          | forbidden | secret   |
+          | forbidden | secret12 |
         And the username "forbidden" is on the forbidden list
-      When I am logged in as "forbidden" with password "secret"
+      When I am logged in as "forbidden" with password "secret12"
         And I visit the change username page for forbidden
         And I fill in "New username" with "notforbidden"
-        And I fill in "Password" with "secret"
+        And I fill in "Password" with "secret12"
         And I press "Change Username"
       Then I should get confirmation that I changed my username
         And I should see "Hi, notforbidden"

features/works/chapter_edit.feature

@@ -203,7 +203,7 @@ Feature: Edit chapters
 
   Scenario: Create a work and add a draft chapter, edit the draft chapter, and save changes to the draft chapter without previewing or posting
   Given basic tags
-    And I am logged in as "moose" with password "muffin"
+    And I am logged in as "moose" with password "muffin12"
   When I go to the new work page
   Then I should see "Post New Work"
     And I select "General Audiences" from "Rating"

spec/requests/rack_attack_spec.rb

@@ -15,7 +15,7 @@ def unique_ip_env
   end
 
   def unique_user_params
-    { user: { login: generate(:login), password: "secret" } }
+    { user: { login: generate(:login), password: "secret12" } }
   end
 
   def unique_admin_params