[#23511] - [4.0] [RFC] Shall we increase the default values for "Password Options" a bit?
- Closed
- 15 Feb 2019
- Medium
- Build: staging
- # 23511
Steps to reproduce the issue
- Go to Users > Options (
administrator/index.php?option=com_config&view=component&component=com_users) - Check the default settings for "Password Options".
These values are faaaar away from being secure. J4 gives us the possibility to define a little bit more secure default settings for newly created accounts.
Suggestions please if accepted.
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Labels |
Added:
?
|
||
Only new users or users with a flag "Require Password Reset" will be forced to respect theses settings. Existing passwords are not affected. I haven't tested that with J4 but in J3 it's like that.
BTW: If an administrator creates a new user account (back-end) without entering a password these settings are also ignored (hard coded length of new random password). Maybe that should be also lengthened a bit(?)
If the settings are ignored then that is a bug
If an administrator creates a new user account (back-end) without entering a password these settings are also ignored
Just to confirm this behavior in J4:
- The password length in this case is always 8.
- Characters: [a-zA-Z0-9] (random combinations)
- Generated here: https://github.com/joomla/joomla-cms/blob/4.0.0-alpha6/libraries/src/User/UserHelper.php#L495-L497
- Called by: https://github.com/joomla/joomla-cms/blob/4.0.0-alpha6/libraries/src/User/User.php#L584
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-02-15 21:17:36 |
| Closed_By | ⇒ | ReLater |
IIRC (and I could be wrong) the reason for the current default values was because of how to handle existing users who created passwords before any restrictions were created