ACP2E-4044: [QUANS]Admin Password Policy Does Not Meet PCI DSS 4.0 Compliance (Minimum 12 Characters)

Author: thiaramus

app/code/Magento/Backend/Model/Config/Password/MinimumLength.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Backend\Model\Config\Password;
+
+use Magento\Framework\App\Config\Value;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\User\Model\UserValidationRules;
+
+/**
+ * Backend model for admin minimum password length configuration
+ */
+class MinimumLength extends Value
+{
+    /**
+     * Validate the minimum password length value
+     *
+     * @return $this
+     * @throws LocalizedException
+     */
+    public function beforeSave()
+    {
+        $value = (int) $this->getValue();
+
+        if ($value < UserValidationRules::MIN_PASSWORD_LENGTH) {
+            throw new LocalizedException(
+                __(
+                    'The minimum admin password length must be at least %1 characters.',
+                    UserValidationRules::MIN_PASSWORD_LENGTH
+                )
+            );
+        }
+
+        return parent::beforeSave();
+    }
+}

app/code/Magento/Backend/etc/adminhtml/system.xml

@@ -461,6 +461,12 @@
                     <validate>required-entry integer validate-greater-than-zero</validate>
                     <backend_model>Magento\Config\Model\Config\Backend\Admin\Password\Link\Expirationperiod</backend_model>
                 </field>
+                <field id="minimum_password_length" translate="label comment" type="text" sortOrder="8" showInDefault="1" canRestore="1">
+                    <label>Minimum Admin Password Length</label>
+                    <comment>Minimum number of characters required for admin user passwords.</comment>
+                    <validate>required-entry validate-digits validate-digits-range digits-range-7-65535</validate>
+                    <backend_model>Magento\Backend\Model\Config\Password\MinimumLength</backend_model>
+                </field>
                 <field id="use_form_key" translate="label" type="select" sortOrder="10" showInDefault="1" canRestore="1">
                     <label>Add Secret Key to URLs</label>
                     <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>

app/code/Magento/Backend/etc/config.xml

@@ -11,6 +11,9 @@
             <dashboard>
                 <enable_charts>0</enable_charts>
             </dashboard>
+            <security>
+                <minimum_password_length>7</minimum_password_length>
+            </security>
         </admin>
         <dev>
             <template>

app/code/Magento/Backend/i18n/en_US.csv

@@ -467,3 +467,5 @@ Pagination,Pagination
 "Use URL parameter to enable template path hints for Storefront","Use URL parameter to enable template path hints for Storefront"
 "Add the following parameter to the URL to show template hints ?templatehints=[parameter_value]","Add the following parameter to the URL to show template hints ?templatehints=[parameter_value]"
 "URL key "%1" matches a reserved endpoint name (%2). Use another URL key.","URL key "%1" matches a reserved endpoint name (%2). Use another URL key."
+"Minimum Admin Password Length","Minimum Admin Password Length"
+"Minimum number of characters required for admin user passwords.","Minimum number of characters required for admin user passwords."

app/code/Magento/Ui/i18n/en_US.csv

@@ -85,6 +85,7 @@ Keyword,Keyword
 "Please enter a valid email address (Ex: [email protected]).","Please enter a valid email address (Ex: [email protected])."
 "Please enter 6 or more characters. Leading and trailing spaces will be ignored.","Please enter 6 or more characters. Leading and trailing spaces will be ignored."
 "Please enter 7 or more characters, using both numeric and alphabetic.","Please enter 7 or more characters, using both numeric and alphabetic."
+"Please enter %1 or more characters, using both numeric and alphabetic.","Please enter %1 or more characters, using both numeric and alphabetic."
 "Minimum length of this field must be equal or greater than %1 symbols. Leading and trailing spaces will be ignored.","Minimum length of this field must be equal or greater than %1 symbols. Leading and trailing spaces will be ignored."
 "Minimum of different classes of characters in password is %1. Classes of characters: Lower Case, Upper Case, Digits, Special Characters.","Minimum of different classes of characters in password is %1. Classes of characters: Lower Case, Upper Case, Digits, Special Characters."
 "Please enter a valid URL. Protocol is required (http://, https:// or ftp://).","Please enter a valid URL. Protocol is required (http://, https:// or ftp://)."

app/code/Magento/User/Block/User/Edit/Tab/Main.php

@@ -1,13 +1,14 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2012 Adobe
+ * All Rights Reserved.
  */
 
 namespace Magento\User\Block\User\Edit\Tab;
 
 use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Locale\OptionInterface;
+use Magento\User\Model\UserValidationRules;
 
 /**
  * Cms page edit form main tab
@@ -16,7 +17,7 @@
  */
 class Main extends \Magento\Backend\Block\Widget\Form\Generic
 {
-    const CURRENT_USER_PASSWORD_FIELD = 'current_password';
+    public const CURRENT_USER_PASSWORD_FIELD = 'current_password';
 
     /**
      * @var \Magento\Backend\Model\Auth\Session
@@ -199,6 +200,17 @@ protected function _prepareForm()
         return parent::_prepareForm();
     }
 
+    /**
+     * Get minimum password length from configuration
+     *
+     * @return int
+     */
+    public function getMinimumPasswordLength(): int
+    {
+        return (int) $this->_scopeConfig->getValue('admin/security/minimum_password_length') ?:
+            UserValidationRules::MIN_PASSWORD_LENGTH;
+    }
+
     /**
      * Add password input fields
      *
@@ -215,6 +227,8 @@ protected function _addPasswordFields(
         $isRequired = false
     ) {
         $requiredFieldClass = $isRequired ? ' required-entry' : '';
+        $minLength = $this->getMinimumPasswordLength();
+        
         $fieldset->addField(
             'password',
             'password',
@@ -223,7 +237,7 @@ protected function _addPasswordFields(
                 'label' => $passwordLabel,
                 'id' => 'customer_pass',
                 'title' => $passwordLabel,
-                'class' => 'input-text validate-admin-password' . $requiredFieldClass,
+                'class' => 'input-text validate-admin-password admin-password-min-' . $minLength . $requiredFieldClass,
                 'required' => $isRequired
             ]
         );

app/code/Magento/User/Model/UserValidationRules.php

@@ -7,6 +7,8 @@
 namespace Magento\User\Model;
 
 use Laminas\Validator\Identical;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Validator\DataObject;
 use Magento\Framework\Validator\EmailAddress;
 use Magento\Framework\Validator\NotEmpty;
@@ -22,9 +24,38 @@
 class UserValidationRules
 {
     /**
-     * Minimum length of admin password
+     * Configuration path for minimum admin password length
      */
-    public const MIN_PASSWORD_LENGTH = 12;
+    private const XML_PATH_MINIMUM_PASSWORD_LENGTH = 'admin/security/minimum_password_length';
+
+    /**
+     * Minimum length of admin password (fallback)
+     */
+    public const MIN_PASSWORD_LENGTH = 7;
+
+    /**
+     * @var ScopeConfigInterface
+     */
+    private $scopeConfig;
+
+    /**
+     * @param ScopeConfigInterface|null $scopeConfig
+     */
+    public function __construct(?ScopeConfigInterface $scopeConfig = null)
+    {
+        $this->scopeConfig = $scopeConfig ?: ObjectManager::getInstance()->get(ScopeConfigInterface::class);
+    }
+
+    /**
+     * Get minimum password length from configuration
+     *
+     * @return int
+     */
+    private function getMinimumPasswordLength(): int
+    {
+        $configValue = $this->scopeConfig->getValue(self::XML_PATH_MINIMUM_PASSWORD_LENGTH);
+        return $configValue ? (int) $configValue : self::MIN_PASSWORD_LENGTH;
+    }
 
     /**
      * Adds validation rule for user first name, last name, username and email
@@ -83,7 +114,7 @@ public function addPasswordRules(DataObject $validator)
     {
         $passwordNotEmpty = new NotEmpty();
         $passwordNotEmpty->setMessage(__('Password is required field.'), NotEmpty::IS_EMPTY);
-        $minPassLength = self::MIN_PASSWORD_LENGTH;
+        $minPassLength = $this->getMinimumPasswordLength();
         $passwordLength = new StringLength(['min' => $minPassLength, 'encoding' => 'UTF-8']);
         $passwordLength->setMessage(
             __('Your password must be at least %1 characters.', $minPassLength),

app/code/Magento/User/Test/Mftf/ActionGroup/AdminCompleteUserCreationWithRoleActionGroup.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+-->
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AdminCompleteUserCreationWithRoleActionGroup">
+        <annotations>
+            <description>Complete user creation by setting role and saving</description>
+        </annotations>
+        <arguments>
+            <argument name="role" defaultValue="roleDefaultAdministrator"/>
+            <argument name="user" defaultValue="activeAdmin"/>
+        </arguments>
+        <!-- Assign role -->
+        <click stepKey="clickUserRole" selector="{{AdminEditUserSection.userRoleTab}}"/>
+        <waitForPageLoad stepKey="waitForUserRoleTabOpened"/>
+        <click stepKey="chooseRole" selector="{{AdminEditUserSection.administratorRoleRadio(role.name)}}"/>
+        <!-- Save user -->
+        <click selector="{{AdminEditUserSection.saveButton}}" stepKey="clickSaveUser"/>
+        <waitForPageLoad stepKey="waitForSaveUser"/>
+        <see stepKey="seeSuccessMessage" userInput="You saved the user."/>
+    </actionGroup>
+</actionGroups> 

app/code/Magento/User/Test/Mftf/ActionGroup/AdminFillNewUserFormActionGroup.xml

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+-->
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AdminFillNewUserFormActionGroup">
+        <annotations>
+            <description>Navigate to new user page and fill form with basic user information without saving</description>
+        </annotations>
+        <arguments>
+            <argument name="user" defaultValue="activeAdmin"/>
+        </arguments>
+        <amOnPage url="{{AdminNewUserPage.url}}" stepKey="navigateToNewUser"/>
+        <waitForPageLoad stepKey="waitForUsersPage"/>
+        <fillField selector="{{AdminEditUserSection.usernameTextField}}" userInput="{{user.username}}" stepKey="enterUserName"/>
+        <fillField selector="{{AdminEditUserSection.firstNameTextField}}" userInput="{{user.firstname}}" stepKey="enterFirstName"/>
+        <fillField selector="{{AdminEditUserSection.lastNameTextField}}" userInput="{{user.lastname}}" stepKey="enterLastName"/>
+        <fillField selector="{{AdminEditUserSection.emailTextField}}" userInput="{{user.username}}@magento.com" stepKey="enterEmail"/>
+        <fillField selector="{{AdminEditUserSection.currentPasswordField}}" userInput="{{_ENV.MAGENTO_ADMIN_PASSWORD}}" stepKey="enterCurrentPassword"/>
+    </actionGroup>
+</actionGroups> 

app/code/Magento/User/Test/Mftf/ActionGroup/AdminNavigateToSecurityConfigActionGroup.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+-->
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+
+    <actionGroup name="AdminNavigateToSecurityConfigActionGroup">
+        <annotations>
+            <description>Navigate to System > Configuration > Advanced > Admin > Security and expand Security tab</description>
+        </annotations>
+        <amOnPage url="{{AdminSecurityConfigPage.url}}" stepKey="navigateToAdminSecurityConfig"/>
+        <waitForPageLoad stepKey="waitForConfigPageLoad"/>
+        <conditionalClick selector="{{AdminSecurityConfigSection.securityTab}}" dependentSelector="{{AdminSecurityConfigSection.securityExpanded}}" visible="false" stepKey="expandSecurityTab"/>
+        <waitForElementVisible selector="{{AdminSecurityConfigSection.minimumPasswordLengthField}}" stepKey="waitForPasswordLengthField"/>
+    </actionGroup>
+
+</actionGroups>