Password Complexity

[niccol]

If someone can help me out I'd be most grateful. It will prevent me having to work this out from the code....

In a default install:

--what are the complexity rules for customers passwords?

--what are the complexity rules for admin passwords?

Thanks

Nick

[stevesh]

There are none in both cases that I'm aware of (other than the length, as specified in admin), and I thank the developers for it.

[lat9]

I believe that when you are running your admin in SSL-mode, the admin password is required to have at least one alpha-character and one numeric digit; other than that, the only restriction is, as stevesh said, the minimum length that you program in your admin's Configuration->Minimum Lengths.

[DrByte]

the admin password is required to have at least one alpha-character and one numeric digit; other than that, the only restriction is, as stevesh said, the minimum length that you program in your admin's Configuration->Minimum Lengths.

Correct, since v1.5.0.

In 1.3.9 and older, the only requirement was length.

[QuickBooksDev]

I am running 1.5.4 and Admin is in https but the passwords are only restricted by length.

I need to correct this. Please point me where this can be changed.

Thanks

[Website Rob]

Admin -> Admins -> Admin Profiles

Use the "reset password" button for whichever Admin you desire.

[QuickBooksDev]

I do not understand the previous reply which I assume is to my posting that I have ZC 1.5.4 and the only password requirement is to the length.

There is nothing requiring upper/lower case or numbers or special characters. I can use 2222222 and it is accepted.

[carlwhat]

I do not understand the previous reply which I assume is to my posting that I have ZC 1.5.4 and the only password requirement is to the length.

There is nothing requiring upper/lower case or numbers or special characters. I can use 2222222 and it is accepted.

not true. you can see the code for the admin password here:

https://goo.gl/1aqrND

does require 1 letter and 1 number and a minimum length.

there is an override for the admin password. the key name is:

PADSS_PWD_EXPIRY_ENFORCED

this relaxes the requirement for the admin password to be changed every 90 days. it does NOT affect the other requirements (look at the code).

so if all 2s are allowed, someone has modified the code to allow it for v1.5.4.

good luck!

[DrByte]

In v1.5.2 the setting under Admin->Configuration->My Store->PA-DSS PASSWORD ENFORCED was added, to allow the storeowner to choose to make their store non-compliant by disabling the password-rules enforcement.

[carlwhat]

drB,
i'm now a i little confused. that setting only comes into play AFTER the check for:

// admin passwords must contain at least 1 letter and 1 number and be of required minimum length

which is why i referenced the code above. i thought that was for the changing of 90 days and can not be the same as the last 4 passwords.

what am i missing?