As a Plex Media Server owner, I want to be able to define the minimum required complexity of remote user’s password that connect my server to deny login with a weaker password.
As a Plex Media Server owner, I want to be able to define a treshold for the maximum age of a remote user password and deny login if the remote users last password change exceeds the trashold.
I realy feel unconfortable that people can use weak passwords - which they don’t even have to change. Tbh, even if this might be unpleasent for remote users, it would make remote access safer for the server operator.
Are you referring to other users with whom you’ve shared libraries from your server? If so, it doesn’t really make sense for you to be able to impose password requirements. They’re not logging on to your server; they’re logging on to their Plex account, to which you’ve shared libraries. In fact, yours may not be the only server from which they can pull content. As far as I know, your server never actually sees their logon and password, only the fact that they are a logged in Plex user.
If you’re speaking of managed users, that’s something else entirely.
I am speaking about remote users. I want to be able to set a policy required to get access to my server. The policy of course would need to be pushed to plex and be respected in the oidc implementation that actualy issues the access tokens. Why wouldn’t that make sense?
I could perfectly live with it, if plex introduces a set of password policy profiles and adds a selection field in the server configuration to set the minimum required policy. I assume this would make the implementation much easier.
It’s a good suggestion but, imo, problematic with the administration.
To operate optimally, again IMO, each shared user would need supplemental flagging as to whether MFA is required or not.
I’m not going to require MFA for my mother or family members watching my server on their TVs; it ruins the convenience & experience. (“Quick, get my mobile phone and enter the code on the remote before it times out” – sorry)
If I don’t trust others to secure their devices properly, I won’t share with them.
When it commes to password complexity: stupidness of humankind has no boundaries, as such people tend to go towards easier passwords. I would like to be able to force people to have a regularly changed decent passwort. if they don’t like it, they can’t access my server.
It makes the discussion about using regularly changed safe passwords way easier. Without policy they will look you in the eye, agree and ignore your request. Though, if this behavior stops them from accessing my service, I am quite sure they will comply.
I wouldn’t implement MFA that strict. I would prefere it to only be used where a credentials based login takes place (e.g. plex.tv, tautulli) and additionaly enforced during device linking. Clients with a valid oicd token should not require MFA. Though, now where I think about it, this implementation makes more sense in combination with a password policy.
Yep, still would like to see it implemented. To restrict the password age alone is worth nothing if you have no control about the complexity of the expected password… I do agree with the article regarding frequent password change (anything less than 6 months), though I feel that a change once or twice a year is quite okay.
