Remove incredibly strict password reqs

[yuhongsun96]

Description

[Provide a brief description of the changes in this PR]

How Has This Been Tested?

[Describe the tests you ran to verify your changes]

Backporting (check the box to trigger backport action)

Note: You have to check that the action passes, otherwise resolve the conflicts manually and tag the patches.

• This PR should be backported (make sure to check that the backport attempt succeeds)
• [Optional] Override Linear Check

---

Summary by cubic

Relaxed the default password policy to reduce friction: minimum length is now 8 (was 12) and uppercase/lowercase/digit/special-character requirements are disabled by default. You can still enforce stricter rules via environment variables.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
internal-search	Building	Preview	Comment	Sep 23, 2025 0:25am

[greptile-apps]

Greptile Summary

This PR significantly relaxes the password requirements for user authentication in the Onyx application. The changes modify the password validation configuration in backend/onyx/configs/app_configs.py to make the default password policy much more permissive.

Specifically, the changes include:

• Reducing the minimum password length from 12 characters to 8 characters
• Changing all password complexity requirements (uppercase, lowercase, digits, special characters) from required by default to optional by default

The configuration still maintains flexibility through environment variables, allowing administrators to enforce stricter requirements if needed. For example, setting PASSWORD_REQUIRE_UPPERCASE=true will still enforce uppercase letter requirements.

This change integrates with the existing password management system that uses the models defined in backend/onyx/server/features/password/models.py for handling password reset requests, responses, and change operations. The relaxed requirements will apply to all password-related operations including new user registration, password resets, and password changes.

The motivation appears to be improving user experience by reducing friction during account creation and password management, while maintaining the ability for organizations to enforce stricter policies through configuration when security requirements demand it.

Confidence score: 3/5

• This PR reduces security defaults which could impact system security posture for deployments using default settings
• Score reflects the trade-off between usability improvements and potential security implications
• Pay close attention to the password configuration changes and consider security implications for your deployment

_{1 file reviewed, no comments}

_{Edit Code Review Bot Settings | Greptile}

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (all 1 issues)

Understand the root cause of the following 1 issues and fix them.


<file name="backend/onyx/configs/app_configs.py">

<violation number="1" location="backend/onyx/configs/app_configs.py:68">
Validate PASSWORD_MIN_LENGTH env value to avoid ValueError on non-integer input; current cast can crash at import time.</violation>
</file>

_{React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[cubic-dev-ai]

Validate PASSWORD_MIN_LENGTH env value to avoid ValueError on non-integer input; current cast can crash at import time.

Prompt for AI agents

Address the following comment on backend/onyx/configs/app_configs.py at line 68:

<comment>Validate PASSWORD_MIN_LENGTH env value to avoid ValueError on non-integer input; current cast can crash at import time.</comment>

<file context>
@@ -65,19 +65,19 @@
 DISABLE_AUTH = AUTH_TYPE == AuthType.DISABLED
 
-PASSWORD_MIN_LENGTH = int(os.getenv(&quot;PASSWORD_MIN_LENGTH&quot;, 12))
+PASSWORD_MIN_LENGTH = int(os.getenv(&quot;PASSWORD_MIN_LENGTH&quot;, 8))
 PASSWORD_MAX_LENGTH = int(os.getenv(&quot;PASSWORD_MAX_LENGTH&quot;, 64))
 PASSWORD_REQUIRE_UPPERCASE = (
</file context>