From 85ad4e334aaa7f7b65d500c7b22962e70d18b558 Mon Sep 17 00:00:00 2001
From: cong meng <mcpacino@gmail.com>
Date: Thu, 14 Apr 2022 13:45:54 +1200
Subject: [PATCH] feat(password) EE-2690 enforce strong password policy (#6751)

* feat(password) EE-2690 enforce strong password policy

* feat(password) EE-2690 disable create user button if password is not valid

* feat(password) EE-2690 show force password change warning only when week password is detected

* feat(password) EE-2690 prevent users leave account page by clicking add access token button

Co-authored-by: Simon Meng <simon.meng@portainer.io>
---
 api/http/handler/auth/authenticate.go         | 19 +++---
 api/http/handler/auth/authenticate_oauth.go   |  2 +-
 api/http/handler/users/admin_init.go          |  5 ++
 api/http/handler/users/user_create.go         |  5 ++
 .../handler/users/user_update_password.go     |  5 ++
 api/internal/passwordutils/strengthCheck.go   | 33 +++++++++++
 .../passwordutils/strengthCheck_test.go       | 31 ++++++++++
 api/jwt/jwt.go                                | 18 +++---
 api/portainer.go                              |  7 ++-
 app/assets/css/app.css                        | 40 +++++++++++++
 .../components/PasswordCheckHint.tsx          | 59 +++++++++++++++++++
 .../access-tokens-datatable.controller.js     |  8 ++-
 .../access-tokens-datatable.html              |  4 +-
 .../access-tokens-datatable/index.js          |  1 +
 app/portainer/components/index.js             |  3 +
 app/portainer/helpers/password.ts             | 22 +++++++
 app/portainer/services/authentication.js      |  1 +
 .../services/modal.service/confirm.ts         | 15 +++++
 app/portainer/services/modal.service/index.ts |  2 +
 app/portainer/views/account/account.html      | 15 +++--
 .../views/account/accountController.js        | 22 +++++++
 app/portainer/views/auth/authController.js    |  4 ++
 app/portainer/views/init/admin/initAdmin.html | 22 ++++---
 .../views/init/admin/initAdminController.js   |  9 +++
 app/portainer/views/users/users.html          | 14 ++++-
 app/portainer/views/users/usersController.js  |  6 ++
 26 files changed, 331 insertions(+), 41 deletions(-)
 create mode 100644 api/internal/passwordutils/strengthCheck.go
 create mode 100644 api/internal/passwordutils/strengthCheck_test.go
 create mode 100644 app/portainer/components/PasswordCheckHint.tsx
 create mode 100644 app/portainer/helpers/password.ts

diff --git a/api/http/handler/auth/authenticate.go b/api/http/handler/auth/authenticate.go
index 37c895b44..39a792f72 100644
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -13,6 +13,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/internal/authorization"
+	"github.com/portainer/portainer/api/internal/passwordutils"
 )
 
 type authenticatePayload struct {
@@ -100,7 +101,8 @@ func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portai
 		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
 	}
 
-	return handler.writeToken(w, user)
+	forceChangePassword := !passwordutils.StrengthCheck(password)
+	return handler.writeToken(w, user, forceChangePassword)
 }
 
 func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.User, username, password string, ldapSettings *portainer.LDAPSettings) *httperror.HandlerError {
@@ -131,11 +133,11 @@ func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.
 		log.Printf("Warning: unable to automatically add user into teams: %s\n", err.Error())
 	}
 
-	return handler.writeToken(w, user)
+	return handler.writeToken(w, user, false)
 }
 
-func (handler *Handler) writeToken(w http.ResponseWriter, user *portainer.User) *httperror.HandlerError {
-	tokenData := composeTokenData(user)
+func (handler *Handler) writeToken(w http.ResponseWriter, user *portainer.User, forceChangePassword bool) *httperror.HandlerError {
+	tokenData := composeTokenData(user, forceChangePassword)
 
 	return handler.persistAndWriteToken(w, tokenData)
 }
@@ -206,10 +208,11 @@ func teamMembershipExists(teamID portainer.TeamID, memberships []portainer.TeamM
 	return false
 }
 
-func composeTokenData(user *portainer.User) *portainer.TokenData {
+func composeTokenData(user *portainer.User, forceChangePassword bool) *portainer.TokenData {
 	return &portainer.TokenData{
-		ID:       user.ID,
-		Username: user.Username,
-		Role:     user.Role,
+		ID:                  user.ID,
+		Username:            user.Username,
+		Role:                user.Role,
+		ForceChangePassword: forceChangePassword,
 	}
 }
diff --git a/api/http/handler/auth/authenticate_oauth.go b/api/http/handler/auth/authenticate_oauth.go
index 8266eb0db..22cd243a2 100644
--- a/api/http/handler/auth/authenticate_oauth.go
+++ b/api/http/handler/auth/authenticate_oauth.go
@@ -110,5 +110,5 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 
 	}
 
-	return handler.writeToken(w, user)
+	return handler.writeToken(w, user, false)
 }
diff --git a/api/http/handler/users/admin_init.go b/api/http/handler/users/admin_init.go
index d4a8f1084..8e3500800 100644
--- a/api/http/handler/users/admin_init.go
+++ b/api/http/handler/users/admin_init.go
@@ -9,6 +9,7 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/internal/passwordutils"
 )
 
 type adminInitPayload struct {
@@ -57,6 +58,10 @@ func (handler *Handler) adminInit(w http.ResponseWriter, r *http.Request) *httpe
 		return &httperror.HandlerError{http.StatusConflict, "Unable to create administrator user", errAdminAlreadyInitialized}
 	}
 
+	if !passwordutils.StrengthCheck(payload.Password) {
+		return &httperror.HandlerError{http.StatusBadRequest, "Password does not meet the requirements", nil}
+	}
+
 	user := &portainer.User{
 		Username: payload.Username,
 		Role:     portainer.AdministratorRole,
diff --git a/api/http/handler/users/user_create.go b/api/http/handler/users/user_create.go
index 165222f28..51024d8e8 100644
--- a/api/http/handler/users/user_create.go
+++ b/api/http/handler/users/user_create.go
@@ -11,6 +11,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/passwordutils"
 )
 
 type userCreatePayload struct {
@@ -94,6 +95,10 @@ func (handler *Handler) userCreate(w http.ResponseWriter, r *http.Request) *http
 	}
 
 	if settings.AuthenticationMethod == portainer.AuthenticationInternal {
+		if !passwordutils.StrengthCheck(payload.Password) {
+			return &httperror.HandlerError{http.StatusBadRequest, "Password does not meet the requirements", nil}
+		}
+
 		user.Password, err = handler.CryptoService.Hash(payload.Password)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to hash user password", errCryptoHashFailure}
diff --git a/api/http/handler/users/user_update_password.go b/api/http/handler/users/user_update_password.go
index 99c92ebab..e569d0ab5 100644
--- a/api/http/handler/users/user_update_password.go
+++ b/api/http/handler/users/user_update_password.go
@@ -12,6 +12,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/passwordutils"
 )
 
 type userUpdatePasswordPayload struct {
@@ -81,6 +82,10 @@ func (handler *Handler) userUpdatePassword(w http.ResponseWriter, r *http.Reques
 		return &httperror.HandlerError{http.StatusForbidden, "Specified password do not match actual password", httperrors.ErrUnauthorized}
 	}
 
+	if !passwordutils.StrengthCheck(payload.NewPassword) {
+		return &httperror.HandlerError{http.StatusBadRequest, "Password does not meet the requirements", nil}
+	}
+
 	user.Password, err = handler.CryptoService.Hash(payload.NewPassword)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to hash user password", errCryptoHashFailure}
diff --git a/api/internal/passwordutils/strengthCheck.go b/api/internal/passwordutils/strengthCheck.go
new file mode 100644
index 000000000..99d5ca473
--- /dev/null
+++ b/api/internal/passwordutils/strengthCheck.go
@@ -0,0 +1,33 @@
+package passwordutils
+
+import (
+	"regexp"
+)
+
+const MinPasswordLen = 12
+
+func lengthCheck(password string) bool {
+	return len(password) >= MinPasswordLen
+}
+
+func comboCheck(password string) bool {
+	count := 0
+	regexps := [4]*regexp.Regexp{
+		regexp.MustCompile(`[a-z]`),
+		regexp.MustCompile(`[A-Z]`),
+		regexp.MustCompile(`[0-9]`),
+		regexp.MustCompile(`[\W_]`),
+	}
+
+	for _, re := range regexps {
+		if re.FindString(password) != "" {
+			count += 1
+		}
+	}
+
+	return count >= 3
+}
+
+func StrengthCheck(password string) bool {
+	return lengthCheck(password) && comboCheck(password)
+}
diff --git a/api/internal/passwordutils/strengthCheck_test.go b/api/internal/passwordutils/strengthCheck_test.go
new file mode 100644
index 000000000..1ee45461a
--- /dev/null
+++ b/api/internal/passwordutils/strengthCheck_test.go
@@ -0,0 +1,31 @@
+package passwordutils
+
+import "testing"
+
+func TestStrengthCheck(t *testing.T) {
+	type args struct {
+		password string
+	}
+	tests := []struct {
+		name       string
+		args       args
+		wantStrong bool
+	}{
+		{"Empty password", args{""}, false},
+		{"Short password", args{"portainer"}, false},
+		{"Short password", args{"portaienr!@#"}, false},
+		{"Week password", args{"12345678!@#"}, false},
+		{"Week password", args{"portaienr123"}, false},
+		{"Good password", args{"Portainer123"}, true},
+		{"Good password", args{"Portainer___"}, true},
+		{"Good password", args{"^portainer12"}, true},
+		{"Good password", args{"12%PORTAINER"}, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if gotStrong := StrengthCheck(tt.args.password); gotStrong != tt.wantStrong {
+				t.Errorf("StrengthCheck() = %v, want %v", gotStrong, tt.wantStrong)
+			}
+		})
+	}
+}
diff --git a/api/jwt/jwt.go b/api/jwt/jwt.go
index 523527a9c..77b9fc279 100644
--- a/api/jwt/jwt.go
+++ b/api/jwt/jwt.go
@@ -22,10 +22,11 @@ type Service struct {
 }
 
 type claims struct {
-	UserID   int    `json:"id"`
-	Username string `json:"username"`
-	Role     int    `json:"role"`
-	Scope    scope  `json:"scope"`
+	UserID              int    `json:"id"`
+	Username            string `json:"username"`
+	Role                int    `json:"role"`
+	Scope               scope  `json:"scope"`
+	ForceChangePassword bool   `json:"forceChangePassword"`
 	jwt.StandardClaims
 }
 
@@ -164,10 +165,11 @@ func (service *Service) generateSignedToken(data *portainer.TokenData, expiresAt
 	}
 
 	cl := claims{
-		UserID:   int(data.ID),
-		Username: data.Username,
-		Role:     int(data.Role),
-		Scope:    scope,
+		UserID:              int(data.ID),
+		Username:            data.Username,
+		Role:                int(data.Role),
+		Scope:               scope,
+		ForceChangePassword: data.ForceChangePassword,
 		StandardClaims: jwt.StandardClaims{
 			ExpiresAt: expiresAt,
 			IssuedAt:  time.Now().Unix(),
diff --git a/api/portainer.go b/api/portainer.go
index a78ffc321..aed012f26 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1102,9 +1102,10 @@ type (
 
 	// TokenData represents the data embedded in a JWT token
 	TokenData struct {
-		ID       UserID
-		Username string
-		Role     UserRole
+		ID                  UserID
+		Username            string
+		Role                UserRole
+		ForceChangePassword bool
 	}
 
 	// TunnelDetails represents information associated to a tunnel
diff --git a/app/assets/css/app.css b/app/assets/css/app.css
index f014936e2..76afc86a1 100644
--- a/app/assets/css/app.css
+++ b/app/assets/css/app.css
@@ -897,6 +897,46 @@ json-tree .branch-preview {
   flex-wrap: wrap;
 }
 
+.ml-0 {
+  margin-left: 0rem;
+}
+
+.ml-1 {
+  margin-left: 0.25rem;
+}
+
+.ml-2 {
+  margin-left: 0.5rem;
+}
+
+.ml-3 {
+  margin-left: 0.75rem;
+}
+
+.ml-4 {
+  margin-left: 1rem;
+}
+
+.ml-5 {
+  margin-left: 1.25rem;
+}
+
+.ml-5 {
+  margin-left: 1.5rem;
+}
+
+.ml-6 {
+  margin-left: 1.75rem;
+}
+
+.ml-7 {
+  margin-left: 2rem;
+}
+
+.ml-8 {
+  margin-left: 2.25rem;
+}
+
 .text-wrap {
   word-break: break-all;
   white-space: normal;
diff --git a/app/portainer/components/PasswordCheckHint.tsx b/app/portainer/components/PasswordCheckHint.tsx
new file mode 100644
index 000000000..4db39f946
--- /dev/null
+++ b/app/portainer/components/PasswordCheckHint.tsx
@@ -0,0 +1,59 @@
+import { react2angular } from '@/react-tools/react2angular';
+
+import { MinPasswordLen } from '../helpers/password';
+
+function PasswordCombination() {
+  return (
+    <ul className="text-muted">
+      <li className="ml-8"> Special characters </li>
+      <li className="ml-8"> Lower case characters </li>
+      <li className="ml-8"> Upper case characters </li>
+      <li className="ml-8"> Numeric characters </li>
+    </ul>
+  );
+}
+
+export function ForcePasswordUpdateHint() {
+  return (
+    <div>
+      <p>
+        <i
+          className="fa fa-exclamation-triangle orange-icon"
+          aria-hidden="true"
+        />
+        <b> Please update your password to continue </b>
+      </p>
+
+      <p className="text-muted">
+        To ensure the security of your account, please update your password to a
+        stronger password using a combination of at least 3 of the following:
+      </p>
+
+      <PasswordCombination />
+    </div>
+  );
+}
+
+export function PasswordCheckHint() {
+  return (
+    <div>
+      <p className="text-muted">
+        <i className="fa fa-times red-icon space-right" aria-hidden="true">
+          {' '}
+        </i>
+        <span>
+          The password must be at least {MinPasswordLen} characters long,
+          including a combination of one character of three of the below:
+        </span>
+      </p>
+
+      <PasswordCombination />
+    </div>
+  );
+}
+
+export const ForcePasswordUpdateHintAngular = react2angular(
+  ForcePasswordUpdateHint,
+  []
+);
+export const PasswordCheckHintAngular = react2angular(PasswordCheckHint, []);
diff --git a/app/portainer/components/datatables/access-tokens-datatable/access-tokens-datatable.controller.js b/app/portainer/components/datatables/access-tokens-datatable/access-tokens-datatable.controller.js
index 2cccb0a95..d0aafbcd7 100644
--- a/app/portainer/components/datatables/access-tokens-datatable/access-tokens-datatable.controller.js
+++ b/app/portainer/components/datatables/access-tokens-datatable/access-tokens-datatable.controller.js
@@ -1,8 +1,14 @@
 export default class AccessTokensDatatableController {
   /* @ngInject*/
-  constructor($scope, $controller, DatatableService) {
+  constructor($scope, $state, $controller, DatatableService) {
     angular.extend(this, $controller('GenericDatatableController', { $scope: $scope }));
 
+    this.onClickAdd = () => {
+      if (this.uiCanExit()) {
+        $state.go('portainer.account.new-access-token');
+      }
+    };
+
     this.$onInit = function () {
       this.setDefaults();
       this.prepareTableFromDataset();
diff --git a/app/portainer/components/datatables/access-tokens-datatable/access-tokens-datatable.html b/app/portainer/components/datatables/access-tokens-datatable/access-tokens-datatable.html
index d31e34687..d772faeaf 100644
--- a/app/portainer/components/datatables/access-tokens-datatable/access-tokens-datatable.html
+++ b/app/portainer/components/datatables/access-tokens-datatable/access-tokens-datatable.html
@@ -14,9 +14,7 @@
         >
           <i class="fa fa-trash-alt space-right" aria-hidden="true"></i>Remove
         </button>
-        <button type="button" class="btn btn-sm btn-primary" ui-sref="portainer.account.new-access-token">
-          <i class="fa fa-plus space-right" aria-hidden="true"></i>Add access token
-        </button>
+        <button type="button" class="btn btn-sm btn-primary" ng-click="$ctrl.onClickAdd()"> <i class="fa fa-plus space-right" aria-hidden="true"></i>Add access token </button>
       </div>
       <div class="searchBar">
         <i class="fa fa-search searchIcon" aria-hidden="true"></i>
diff --git a/app/portainer/components/datatables/access-tokens-datatable/index.js b/app/portainer/components/datatables/access-tokens-datatable/index.js
index 534b83f74..b90b3c9dd 100644
--- a/app/portainer/components/datatables/access-tokens-datatable/index.js
+++ b/app/portainer/components/datatables/access-tokens-datatable/index.js
@@ -11,5 +11,6 @@ angular.module('portainer.app').component('accessTokensDatatable', {
     tableKey: '@',
     orderBy: '@',
     removeAction: '<',
+    uiCanExit: '<',
   },
 });
diff --git a/app/portainer/components/index.js b/app/portainer/components/index.js
index df484f8d8..4b7589e3d 100644
--- a/app/portainer/components/index.js
+++ b/app/portainer/components/index.js
@@ -14,6 +14,7 @@ import { ReactExampleAngular } from './ReactExample';
 import { TooltipAngular } from './Tip/Tooltip';
 import { beFeatureIndicatorAngular } from './BEFeatureIndicator';
 import { InformationPanelAngular } from './InformationPanel';
+import { ForcePasswordUpdateHintAngular, PasswordCheckHintAngular } from './PasswordCheckHint';
 
 export default angular
   .module('portainer.app.components', [headerModule, boxSelectorModule, widgetModule, sidebarModule, gitFormModule, porAccessManagementModule, formComponentsModule])
@@ -21,4 +22,6 @@ export default angular
   .component('portainerTooltip', TooltipAngular)
   .component('reactExample', ReactExampleAngular)
   .component('beFeatureIndicator', beFeatureIndicatorAngular)
+  .component('forcePasswordUpdateHint', ForcePasswordUpdateHintAngular)
+  .component('passwordCheckHint', PasswordCheckHintAngular)
   .component('createAccessToken', CreateAccessTokenAngular).name;
diff --git a/app/portainer/helpers/password.ts b/app/portainer/helpers/password.ts
new file mode 100644
index 000000000..86d23b17a
--- /dev/null
+++ b/app/portainer/helpers/password.ts
@@ -0,0 +1,22 @@
+export const MinPasswordLen = 12;
+
+function lengthCheck(password: string) {
+  return password.length >= MinPasswordLen;
+}
+
+function comboCheck(password: string) {
+  let count = 0;
+  const regexps = [/[a-z]/, /[A-Z]/, /[0-9]/, /[\W_]/];
+
+  regexps.forEach((re) => {
+    if (password.match(re) != null) {
+      count += 1;
+    }
+  });
+
+  return count >= 3;
+}
+
+export function StrengthCheck(password: string) {
+  return lengthCheck(password) && comboCheck(password);
+}
diff --git a/app/portainer/services/authentication.js b/app/portainer/services/authentication.js
index 406c03368..88ca88d9e 100644
--- a/app/portainer/services/authentication.js
+++ b/app/portainer/services/authentication.js
@@ -101,6 +101,7 @@ angular.module('portainer.app').factory('Authentication', [
       user.username = tokenPayload.username;
       user.ID = tokenPayload.id;
       user.role = tokenPayload.role;
+      user.forceChangePassword = tokenPayload.forceChangePassword;
       await setUserTheme();
     }
 
diff --git a/app/portainer/services/modal.service/confirm.ts b/app/portainer/services/modal.service/confirm.ts
index 407d53017..482c8d731 100644
--- a/app/portainer/services/modal.service/confirm.ts
+++ b/app/portainer/services/modal.service/confirm.ts
@@ -202,3 +202,18 @@ export function confirmChangePassword() {
     },
   });
 }
+
+export function confirmForceChangePassword() {
+  const box = bootbox.dialog({
+    message:
+      'Please update your password to a stronger password to continue using Portainer',
+    buttons: {
+      confirm: {
+        label: 'OK',
+        className: 'btn-primary',
+      },
+    },
+  });
+
+  applyBoxCSS(box);
+}
diff --git a/app/portainer/services/modal.service/index.ts b/app/portainer/services/modal.service/index.ts
index b6dcf2a60..0c10342f4 100644
--- a/app/portainer/services/modal.service/index.ts
+++ b/app/portainer/services/modal.service/index.ts
@@ -15,6 +15,7 @@ import {
   confirmUpdate,
   confirmWebEditorDiscard,
   confirm,
+  confirmForceChangePassword,
 } from './confirm';
 import {
   confirmContainerDeletion,
@@ -58,5 +59,6 @@ export function ModalServiceAngular() {
     selectRegistry,
     confirmContainerDeletion,
     confirmKubeconfigSelection,
+    confirmForceChangePassword,
   };
 }
diff --git a/app/portainer/views/account/account.html b/app/portainer/views/account/account.html
index 274b0b447..500ed2107 100644
--- a/app/portainer/views/account/account.html
+++ b/app/portainer/views/account/account.html
@@ -26,17 +26,12 @@
             <div class="col-sm-8">
               <div class="input-group">
                 <span class="input-group-addon"><i class="fa fa-lock" aria-hidden="true"></i></span>
-                <input type="password" class="form-control" ng-model="formValues.newPassword" id="new_password" />
+                <input type="password" class="form-control" ng-model="formValues.newPassword" ng-change="onNewPasswordChange()" id="new_password" />
               </div>
             </div>
           </div>
           <!-- !new-password-input -->
-          <div class="form-group">
-            <div class="col-sm-12">
-              <i ng-class="{ true: 'fa fa-check green-icon', false: 'fa fa-times red-icon' }[formValues.newPassword.length >= 8]" aria-hidden="true"></i>
-              <span class="small text-muted">Your new password must be at least 8 characters long</span>
-            </div>
-          </div>
+
           <!-- confirm-password-input -->
           <div class="form-group">
             <label for="confirm_password" class="col-sm-2 control-label text-left">Confirm password</label>
@@ -61,7 +56,7 @@
               <button
                 type="submit"
                 class="btn btn-primary btn-sm"
-                ng-disabled="(AuthenticationMethod !== 1 && userID !== 1) || !formValues.currentPassword || formValues.newPassword.length < 8 || formValues.newPassword !== formValues.confirmPassword"
+                ng-disabled="(AuthenticationMethod !== 1 && userID !== 1) || !formValues.currentPassword || !passwordStrength || formValues.newPassword !== formValues.confirmPassword"
                 ng-click="updatePassword()"
                 >Update password</button
               >
@@ -75,6 +70,9 @@
               </span>
             </div>
           </div>
+
+          <force-password-update-hint ng-if="forceChangePassword"></force-password-update-hint>
+          <password-check-hint ng-if="!forceChangePassword && !passwordStrength"></password-check-hint>
         </form>
       </rd-widget-body>
     </rd-widget>
@@ -85,6 +83,7 @@
       table-key="tokens"
       order-by="Description"
       remove-action="removeAction"
+      ui-can-exit="uiCanExit"
     ></access-tokens-datatable>
     <theme-settings></theme-settings>
   </div>
diff --git a/app/portainer/views/account/accountController.js b/app/portainer/views/account/accountController.js
index ca2795de9..c00ec8637 100644
--- a/app/portainer/views/account/accountController.js
+++ b/app/portainer/views/account/accountController.js
@@ -1,3 +1,5 @@
+import { MinPasswordLen, StrengthCheck } from 'Portainer/helpers/password';
+
 angular.module('portainer.app').controller('AccountController', [
   '$scope',
   '$state',
@@ -16,12 +18,16 @@ angular.module('portainer.app').controller('AccountController', [
       userTheme: '',
     };
 
+    $scope.passwordStrength = false;
+    $scope.MinPasswordLen = MinPasswordLen;
+
     $scope.updatePassword = async function () {
       const confirmed = await ModalService.confirmChangePassword();
       if (confirmed) {
         try {
           await UserService.updateUserPassword($scope.userID, $scope.formValues.currentPassword, $scope.formValues.newPassword);
           Notifications.success('Success', 'Password successfully updated');
+          $scope.forceChangePassword = false;
           $state.go('portainer.logout');
         } catch (err) {
           Notifications.error('Failure', err, err.msg);
@@ -29,6 +35,21 @@ angular.module('portainer.app').controller('AccountController', [
       }
     };
 
+    $scope.onNewPasswordChange = function () {
+      $scope.passwordStrength = StrengthCheck($scope.formValues.newPassword);
+    };
+
+    this.uiCanExit = () => {
+      if ($scope.forceChangePassword) {
+        ModalService.confirmForceChangePassword();
+      }
+      return !$scope.forceChangePassword;
+    };
+
+    $scope.uiCanExit = () => {
+      return this.uiCanExit();
+    };
+
     $scope.removeAction = (selectedTokens) => {
       const msg = 'Do you want to remove the selected access token(s)? Any script or application using these tokens will no longer be able to invoke the Portainer API.';
 
@@ -77,6 +98,7 @@ angular.module('portainer.app').controller('AccountController', [
 
     async function initView() {
       $scope.userID = Authentication.getUserDetails().ID;
+      $scope.forceChangePassword = Authentication.getUserDetails().forceChangePassword;
 
       const data = await UserService.user($scope.userID);
 
diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index 0731c1d67..86905693e 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -123,6 +123,10 @@ class AuthenticationController {
       const endpoints = await this.EndpointService.endpoints(0, 1);
       const isAdmin = this.Authentication.isAdmin();
 
+      if (this.Authentication.getUserDetails().forceChangePassword) {
+        return this.$state.go('portainer.account');
+      }
+
       if (endpoints.value.length === 0 && isAdmin) {
         return this.$state.go('portainer.wizard');
       } else {
diff --git a/app/portainer/views/init/admin/initAdmin.html b/app/portainer/views/init/admin/initAdmin.html
index cffa7aa00..54408f714 100644
--- a/app/portainer/views/init/admin/initAdmin.html
+++ b/app/portainer/views/init/admin/initAdmin.html
@@ -41,7 +41,7 @@
             <div class="form-group">
               <label for="password" class="col-sm-4 control-label text-left">Password</label>
               <div class="col-sm-8">
-                <input type="password" class="form-control" ng-model="formValues.Password" id="password" auto-focus />
+                <input type="password" class="form-control" ng-model="formValues.Password" id="password" ng-change="onPasswordChange()" auto-focus />
               </div>
             </div>
             <!-- !new-password-input -->
@@ -63,11 +63,19 @@
             <!-- !confirm-password-input -->
             <!-- note -->
             <div class="form-group">
-              <div class="col-sm-12">
-                <span class="small text-muted">
-                  <i ng-class="{ true: 'fa fa-check green-icon', false: 'fa fa-times red-icon' }[formValues.Password.length >= 8]" aria-hidden="true"></i>
-                  The password must be at least 8 characters long
-                </span>
+              <div class="col-sm-12 text-muted" ng-if="!state.passwordStrength">
+                <!-- below code is duplicated with component of <force-password-update-hint>  -->
+                <!-- it is a workaround for firefox that does not render component <force-password-update-hint>  -->
+                <p>
+                  <i class="fa fa-times red-icon space-right" aria-hidden="true"></i>
+                  <span>The password must be at least {{ MinPasswordLen }} characters long, including a combination of one character of three of the below:</span>
+                </p>
+                <ul>
+                  <li class="ml-8"> Special characters </li>
+                  <li class="ml-8"> Lower case characters </li>
+                  <li class="ml-8"> Upper case characters </li>
+                  <li class="ml-8"> Numeric characters </li>
+                </ul>
               </div>
             </div>
             <!-- !note -->
@@ -77,7 +85,7 @@
                 <button
                   type="submit"
                   class="btn btn-primary btn-sm"
-                  ng-disabled="state.actionInProgress || formValues.Password.length < 8 || formValues.Password !== formValues.ConfirmPassword"
+                  ng-disabled="state.actionInProgress || !state.passwordStrength || formValues.Password !== formValues.ConfirmPassword"
                   ng-click="createAdminUser()"
                   button-spinner="state.actionInProgress"
                 >
diff --git a/app/portainer/views/init/admin/initAdminController.js b/app/portainer/views/init/admin/initAdminController.js
index e2433e4ab..d895da583 100644
--- a/app/portainer/views/init/admin/initAdminController.js
+++ b/app/portainer/views/init/admin/initAdminController.js
@@ -1,3 +1,5 @@
+import { MinPasswordLen, StrengthCheck } from 'Portainer/helpers/password';
+
 angular.module('portainer.app').controller('InitAdminController', [
   '$scope',
   '$state',
@@ -25,10 +27,17 @@ angular.module('portainer.app').controller('InitAdminController', [
       actionInProgress: false,
       showInitPassword: true,
       showRestorePortainer: false,
+      passwordStrength: false,
     };
 
+    $scope.MinPasswordLen = MinPasswordLen;
+
     createAdministratorFlow();
 
+    $scope.onPasswordChange = function () {
+      $scope.state.passwordStrength = StrengthCheck($scope.formValues.Password);
+    };
+
     $scope.togglePanel = function () {
       $scope.state.showInitPassword = !$scope.state.showInitPassword;
       $scope.state.showRestorePortainer = !$scope.state.showRestorePortainer;
diff --git a/app/portainer/views/users/users.html b/app/portainer/views/users/users.html
index e783afe87..8c7a670a6 100644
--- a/app/portainer/views/users/users.html
+++ b/app/portainer/views/users/users.html
@@ -46,7 +46,7 @@
             <div class="col-sm-8">
               <div class="input-group">
                 <span class="input-group-addon"><i class="fa fa-lock" aria-hidden="true"></i></span>
-                <input type="password" class="form-control" ng-model="formValues.Password" id="password" data-cy="user-passwordInput" />
+                <input type="password" class="form-control" ng-model="formValues.Password" id="password" ng-change="onPasswordChange()" data-cy="user-passwordInput" />
               </div>
             </div>
           </div>
@@ -68,6 +68,16 @@
             </div>
           </div>
           <!-- !confirm-password-input -->
+
+          <!-- password-check-hint -->
+          <div class="form-group" ng-if="AuthenticationMethod === 1 && !state.passwordStrength">
+            <div class="col-sm-3 col-lg-2"></div>
+            <div class="col-sm-8">
+              <password-check-hint></password-check-hint>
+            </div>
+          </div>
+          <!-- ! password-check-hint  -->
+
           <!-- admin-checkbox -->
           <div class="form-group" ng-if="isAdmin">
             <div class="col-sm-12">
@@ -120,7 +130,7 @@
               <button
                 type="button"
                 class="btn btn-primary btn-sm"
-                ng-disabled="state.actionInProgress || !state.validUsername || formValues.Username === '' || (AuthenticationMethod === 1 && formValues.Password === '') || (AuthenticationMethod === 1 && formValues.Password !== formValues.ConfirmPassword)"
+                ng-disabled="state.actionInProgress || !state.validUsername || formValues.Username === '' || (AuthenticationMethod === 1 && !state.passwordStrength) || (AuthenticationMethod === 1 && formValues.Password !== formValues.ConfirmPassword)"
                 ng-click="addUser()"
                 button-spinner="state.actionInProgress"
                 data-cy="user-createUserButton"
diff --git a/app/portainer/views/users/usersController.js b/app/portainer/views/users/usersController.js
index be8562057..a1ced1805 100644
--- a/app/portainer/views/users/usersController.js
+++ b/app/portainer/views/users/usersController.js
@@ -1,4 +1,5 @@
 import _ from 'lodash-es';
+import { StrengthCheck } from 'Portainer/helpers/password';
 
 angular.module('portainer.app').controller('UsersController', [
   '$q',
@@ -16,6 +17,7 @@ angular.module('portainer.app').controller('UsersController', [
       userCreationError: '',
       validUsername: false,
       actionInProgress: false,
+      passwordStrength: false,
     };
 
     $scope.formValues = {
@@ -26,6 +28,10 @@ angular.module('portainer.app').controller('UsersController', [
       Teams: [],
     };
 
+    $scope.onPasswordChange = function () {
+      $scope.state.passwordStrength = StrengthCheck($scope.formValues.Password);
+    };
+
     $scope.checkUsernameValidity = function () {
       var valid = true;
       for (var i = 0; i < $scope.users.length; i++) {