[#1888] - [#31912] Generated passwords - longer and with special characters
- Closed
- 4 Mar 2014
- Medium
- Build: 2.5.x
- # 1888
- Diff
- lszeremeta:2.5.x
- Foreign ID 31912
User tests: Successful: Unsuccessful:
By default, the generated password in Joomla! to 8 characters without any special characters (eg. $,%, @).
I suggest some improvement in security by default generate a 10-character password with special characters.
I applied a patch on Github.
Before sharing patch, it has been tested by me on the latest current version of Joomla 2.5 and 3 branches.
Test Procedure:
1 Create a new user account leaving the password field blank (send e-mail passwords must be enabled).
2 The generated password will not have any special characters - only letters and numbers.
and
- Change password for @% + \ / '! # $ ^?:. () {} [] ~-_
- Verify that you can log on.
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31912
The original, failed bcrypt PR proposed to have a 16 char random password. In theory I would agree with you that a longer password is better, but we have 2 issues here:
- We are changing the API when we are setting this to a higher number and breaking the API in this regard should not be done before 4.0. if we actually want longer random passwords, we should set this at the points where the method is actually used.
- I would disagree that we have to add those special chars to the random passwords, since these are supposed to be changed directly again anyway. I know, its a weak argument...
Anyway, due to this PR changing the current API, I'd like to request to reject this PR.
And with the words of Cato the Elder: Ceterum censeo Joomlacode esse delendam (I believe that Joomlacode has to be destroyed. ;-) )
brianteeman
- | Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2014-03-04 20:22:32 |
There are already changes in length in the bcrypt pull request. Why don't you take a look at that and see what you think and if you have suggestions. #1745