Notifications
Clear all

[Closed] Enforce minimum password complexity?

13 Posts
2 Users
2 Likes
699 Views
Posts: 14
Topic starter
(@ozarkrepair)
Eminent Member
Joined: 1 year ago

So, I did some initial digging into this and the following description is my understanding so far.

For config, I have each of the following set to: "Yes":

Replace Registration Page URL to Forum Registration Page URL
Replace Login Page URL to Forum Login Page URL
Replace Reset Password Page URL to Forum Reset Password Page URL

It looks like there are multiple independent wpForo code paths for setting or changing a password and it doesn't seems that there is a unifying way to control password min and max pass length.

Example 1) -- User Account Change Password form:
- The controlling code in this use case appears to be classes/Members.php public function init_fields():

...
$this->fields['user_pass'] = [
  ...
  'description'    => wpforo_phrase( 'Must be minimum 6 characters.', false ),
  'minLength'      => 6,
  'maxLength'      => 20,
  ...
]

- The description, minLength, maxLength params control what the html input validation that the user experiences on the front end.
- The example fields above yield html code with matching minlength and maxlength validation params:

<input type="password" name="member[user_pass1]" 
value="" id="member_user_pass_6456f90540d1c-new1" class="member_user_pass_6456f90540d1c" 
placeholder="New password" autocomplete="off" 
minlength="6" maxlength="20">

- If I manually change the minLength and maxLength php definitions here, I can successfully get the password validation the way I would like it for this particular scenario. I can change the description via the phrases page mentioned above.
- There does not appear to be a filter to hook into to set these values, for example, from a WPCode snippet.
- There also does not appear to be php password min and max length validation -- only a reliance on this html input validation.

Example 2) -- Initial registration process:
- The controlling code in this use case appears to be classes/Members.php function create( $data )
- In this function, I can verify that during new user registration when the new user and email are supplied and the form is submitted that the WPCode snippet sets min and max length from the apply_filter mentioned in the previous post. We can see where it gets applied in the create function code here:

$this->login_min_length = apply_filters( 'wpforo_login_min_length', $this->login_min_length );
$this->login_max_length = apply_filters( 'wpforo_login_max_length', $this->login_max_length );

- A little further down in this function's code, there is this elseif which appears that it utilizes this login_[min|max]_length and should enforce it:

elseif( strlen( $user_pass1 ) < $this->pass_min_length || strlen( $user_pass1 ) > $this->pass_max_length ) {
  WPF()->notice->add( 'Password length must be between %d characters and %d characters.', 'error', [ $this->pass_min_length, $this->pass_max_length ] );

- But I don't experience that: immediately after submitting the username and user email for registration, the new user gets an email to set a new password with a link, which when followed, allows the user to set the default min of 6 characters regardless of observing that login_min_length was set to something larger during the initial user form submission.  I suppose that means login_min_length is not getting set properly by wpforo_login_min_length on the password reset page itself; I'm not sure why yet.

Example 3) -- $FQDN/change-password
- The controlling code in this use case appears to be classes/Members.php function update( ... )
- In this function, there is a change password function called:

if( $result_password && wpfval( $user, 'old_pass' ) && wpfval( $user, 'user_pass1' ) ) {
  $result_password = $this->change_password( $user['old_pass'], $user['user_pass1'], $userid );
}

- And in the change password function, it looks like there is possibly a way to validate a min and max length by adding a filter on `wpforo_change_password_validate`, which I don't see any code utilizing anywhere:

if( ! apply_filters( 'wpforo_change_password_validate', true, $old_passw, $new_passw, $user ) ) return false;

- It seems, though, that setting [min|max]Length and/or wpforo_login_[min|max]_length params mentioned above have no effect here either.

So, hopefully I've missed or misunderstood a few things here which can be pointed out...

I am really looking to get a consistent user experience with password min and max lengths across each of the methods a user can choose to set or change their password. From what I see so far, it looks like there are several different mechanisms to try to accomplish this, and it's not clear to me how I could easily go about doing that.

Ideally, there could be a single set of apply_filter params, like the one mentioned in the previous post above, that would get applied consistently across each of these password set/reset use cases: new registration, $FQDN/change-password, and user account UI password reset:

<?php
add_filter('wpforo_pass_min_length', function ($length){ return 16; } );
add_filter('wpforo_pass_max_length', function ($length){ return 48; } );
?>

Appreciate any feedback, thank you.

1 Reply
Chris
(@chris)
Joined: 3 years ago

Famed Member
Posts: 3650

@ozarkrepair,

You can edit the password required length with User Custom Fields addon. The addon has option to edit the password field and set the minimum and maximum length of the password.

Posts: 14
Topic starter
(@ozarkrepair)
Eminent Member
Joined: 1 year ago

Thanks @Chris...  I'll follow up with that...  It also looks like I can do some custom php coding using the wpForo hooks to add additional complexity requirements (ex: sample code).

1 Reply
Chris
(@chris)
Joined: 3 years ago

Famed Member
Posts: 3650

@ozarkrepair,

Customizing/adding… the code is at your own risk.

Posts: 14
Topic starter
(@ozarkrepair)
Eminent Member
Joined: 1 year ago

Yes, understood.  At some point in the future, it would be great if wpforo adds a feature for password complexity configuration at which point I'll happily drop the customization that I'd rather not have.

2 Replies
Chris
(@chris)
Joined: 3 years ago

Famed Member
Posts: 3650

@ozarkrepair,

Can you test this plugin, I guess you should be able to change the password requirements with it as wpForo uses WordPress Hooks for the password:

https://wordpress.org/plugins/password-policy-manager/

The only thing may be that the Text in wpForo Reg/ Password Reset Fields would be the same, but that can be changed from Phrases Page.

(@ozarkrepair)
Joined: 1 year ago

Eminent Member
Posts: 14

Hi @chris.  I was hoping a plugin would be a quick solution and would integrate well, but it didn't, at least for my setup.  I tried that plugin which you linked and another one also a few weeks ago.  Tonight I retested the one you linked since I didn't remember exactly what the problems were from when I initially tested.

On my dev site, I encounter the following issues (briefly):

* The user flow is not ideal.  Often, where a user enters current password, new password and repeat new password, like through the wpForo account page, they are then immediately prompted to redo it again through the plugin password interface a second time.  This is confusing and annoying for a user.

* For the lost password wordpress function, where a user can get an email URL to reset their password, the user goes to the reset URL, is prompted to enter a new password and confirm the new password.  When they click ok to proceed, the plugin password page pops up and asks them to do it all over, but this time, it's not clear what a user should fill in for "Current Password" since they arrived at this page because they lost their password in the first place and are trying to reset it without knowing what the current password is.

* Inconsistent / Buggy: just in testing it for ~15 minutes, I ran into examples of submitting a password reset which didn't work on the first click, but then did work on the second click when nothing had been changed.

* After resetting a password through the the plugin interface, and then trying to change the password through wpForo in the account page, this resulted in wpForo reporting "Old password is not valid" even though it was correct.

* Broken looking big and blocky CSS/font when a user tries to submit a password which doesn't meet the complexity requirements as well as an error window in red highlighting which pops up that contains no message for the user and then disappears after a few seconds.  This might just be a conflict with the theme I use (Astra), but it still would be another thing to have to fix.

You bring up a good point, though.  A good password policy plugin where I can just activate it and configure a few settings and have it work would be ideal.  In this case, it seemed like the effort I would have to put in with the plugin support developers to address all these conflicts, issues and/or bugs (with no guarantee they would be fixed) would be higher than just trying to learn to fix it myself with custom code.

So, that's how I ended up trying to address the problem myself.  Too bad it wasn't easier! 🙂

Thank you for the suggestion, though, much appreciated!

Page 2 / 2