Passwords requirements can not easily be customised. They need to be implemented on Spring XML bean level and in addition the text hints and error messages need to be customized in every available language.
In reality however the rules how to create passwords can be reduced some general rules. Those general rule can generate a generic hint text using a bullet list of all the elements of the password.
Things to be done and to be considered:
- Implement UI for configure the password rules
- Make sure that whenever something changes in that config extensive admin logging is performed
- Implement the bean that checks against the rules
- In the bean implement a method to create an appropriate, generic error message
- In the bean implement a method to create a help text that explains what a valid password is
- Implement form code when adding new or change password to use the new validator and the error handling
- Make sure transition from the previous password setting is handled smoothly
The Regex to validate the username should also be moved to the properties file so that the old Spring Beans can be deleted.