Password Complexity

[davewest]

Complexity is a pain... coming from where 12 characters and harden was required...

existing system is one letter, one number at minimum length..

if you want a almost harden password then you need to change the regex string for it to work, this is most likely not the best string, regex gives me indigestion...

in admin/functions/admin_access.php find line 442

Code:

if (!preg_match('/^(?=.*[a-zA-Z]+.*)(?=.*[\d]+.*)[\d\w\s[:punct:]]{' . $minLength . ',}$/', $password)) {

Change as below:

Code:

  //if (!preg_match('/^(?=.*[a-zA-Z]+.*)(?=.*[\d]+.*)[\d\w\s[:punct:]]{' . $minLength . ',}$/', $password)) {
  // passwords must contain 1 lower case letter, 1 upper case letter, 1 number, 1 non-word character and be of required minimum length or grater
    if (!preg_match('/^(?=.*[a-z]+.*)(?=.*[A-Z]+.*)(?=.*[\d]+.*)(?=.*[\W])[\d\w\s[:punct:]]{' . $minLength . ',}$/', $password)) {

This forces 1 upper, 1 lower case letters, 1 number and one non-character... Cat2#has!

This does nothing to tell the user what they did wrong!! You would have to trap the error and feed it back to the user. The standard error message is all they well see until then.

[mc12345678]

Complexity is a pain... coming from where 12 characters and harden was required...

existing system is one letter, one number at minimum length..

if you want a almost harden password then you need to change the regex string for it to work, this is most likely not the best string, regex gives me indigestion...

in admin/functions/admin_access.php find line 442

Code:

if (!preg_match('/^(?=.*[a-zA-Z]+.*)(?=.*[\d]+.*)[\d\w\s[:punct:]]{' . $minLength . ',}$/', $password)) {

Change as below:

Code:

  //if (!preg_match('/^(?=.*[a-zA-Z]+.*)(?=.*[\d]+.*)[\d\w\s[:punct:]]{' . $minLength . ',}$/', $password)) {
  // passwords must contain 1 lower case letter, 1 upper case letter, 1 number, 1 non-word character and be of required minimum length or grater
    if (!preg_match('/^(?=.*[a-z]+.*)(?=.*[A-Z]+.*)(?=.*[\d]+.*)(?=.*[\W])[\d\w\s[:punct:]]{' . $minLength . ',}$/', $password)) {

This forces 1 upper, 1 lower case letters, 1 number and one non-character... Cat2#has!

This does nothing to tell the user what they did wrong!! You would have to trap the error and feed it back to the user. The standard error message is all they well see until then.

Of course in the "trapping" and perhaps obvious to some, one would not want to point out- hey you forgot a capital letter, or hey you should add one of each of the following two because you missed these two but met the other three requirements.

Instead if telling them anything about the complexity or incorrectness, would want to tell them what is expected for all passwords not just one part of it or the part that was missing. This is done already for the existing password rules through the admin constant: ERROR_PASSWORD_RULES, but if the rules were changed then perhaps so should that text.

The existing "trapping" really should be the extent of password reporting that is done, otherwise start getting into weakening a strong password system.

[QuickBooksDev]

How can you tell me how my ZC that is running for over a year is working. It does not reject passwords except for length. I even checked the source code.
PS-DSS Strong Password Rules Enforced is On.

I can create user passwords with 2222222 as stated previously.

Perhaps you are talking about admin passwords. I am talking about user passwords.

Isn't the code referenced for the Admin and not the general user?

[gilby]

I am running 1.5.4 and Admin is in https but the passwords are only restricted by length.

I need to correct this. Please point me where this can be changed.

Thanks

How can you tell me how my ZC that is running for over a year is working. It does not reject passwords except for length. I even checked the source code.
PS-DSS Strong Password Rules Enforced is On.

I can create user passwords with 2222222 as stated previously.

Perhaps you are talking about admin passwords. I am talking about user passwords.

Isn't the code referenced for the Admin and not the general user?

Actually your first post specifically referred to the admin ?
NOT to user passwords....

[QuickBooksDev]

Sorry for any confusion.

I said Admin is in https but the passwords are only restricted by length which is true because that was mentioned in a previous posting. But I did not mention that this was for either the Admin or User password.

I need it working for the general user (i.e. someone who is registering to buy from our ZC).

[mc12345678]

Sorry for any confusion.

I said Admin is in https but the passwords are only restricted by length which is true because that was mentioned in a previous posting. But I did not mention that this was for either the Admin or User password.

I need it working for the general user (i.e. someone who is registering to buy from our ZC).

Is it then both the auto-generation AND the user entered password that need to meet more complex rules than simply length?

[QuickBooksDev]

Yes that is correct. All passwords should be strong passwords.

[DrByte]

Since customer passwords are most often created during checkout, and creating extra friction at checkout by enforcing password complexity is likely to cause abandoned sales, I suggest you add a javascript widget for showing and encouraging password complexity. And NOT enforce it on the back-end by your store software.