We run a gitlab site for university users (and they all come from different institutions so we can’t use a single LDAP). We recently went through penetration testing and the main issue the testers raised was with a lack of password complexity controls.
Although there is a control for minimum length there isn’t anything I can see to require mixture of caps/numerics etc.
I don’t really want to force all users to use MFA but I also don’t want users to have a password of 11111111
Anyone know if this sort of simple control is coming?