Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#25914] - [4.0] [RFC] password strength

J4 Issue ? ?
avatar brianteeman
brianteeman
17 Aug 2019

The current defaults for password length is 4 characters - thats crazy and should be changed to 12 characters.

There should be text on screen that states the minimum length AND a recommendation to use a password manager

The password strength script is anything but a password strength check. It is just counting the complexity not the entropy and basically in its current state will give the green light to a 4 character password.

There is no password strength check when creating the first super user at installation - 1234 is good enough :(

There are similarly lightweight scripts that can replace this useless on that actually measure the entropy https://github.com/autonomoussoftware/fast-password-entropy

Currently although we set a maxlength in the password input we dont set a minlength - instead we use a custom data-min-length which is just for the javascript and doesn't aid password managers etcc

The changes are relatively easy to make and I am happy to volunteer to do it if its seen to be a good idea

Thoughts?
@wilsonge @SniperSister

avatar brianteeman brianteeman - open - 17 Aug 2019
avatar joomla-cms-bot joomla-cms-bot - change - 17 Aug 2019
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 17 Aug 2019
avatar brianteeman brianteeman - change - 17 Aug 2019
The description was changed
avatar brianteeman brianteeman - edited - 17 Aug 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 17 Aug 2019
Labels Added: J4 Issue
avatar franz-wohlkoenig franz-wohlkoenig - labeled - 17 Aug 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 17 Aug 2019
Title
[4.0] RFC password strength
[4.0] [RFC] password strength
Status New Discussion
avatar franz-wohlkoenig franz-wohlkoenig - edited - 17 Aug 2019
avatar joomla-cms-bot joomla-cms-bot - change - 17 Aug 2019
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 17 Aug 2019
avatar alikon
alikon - comment - 18 Aug 2019

sometimes ago i've tryied to make something in this direction unfortunately without luck #18766
after wishing you more good luck, i can only approve this ...

avatar zero-24
zero-24 - comment - 18 Aug 2019

Sounds like a good idea to me ?

avatar ReLater
ReLater - comment - 18 Aug 2019

Just as additional info: #23511

avatar brianteeman
brianteeman - comment - 18 Aug 2019

Thanks all - I guess I have a task to do on my holidays

avatar jeckodevelopment
jeckodevelopment - comment - 26 Aug 2019

I agree, if not 12, we could go with at least 8 characters.
And it would be good to have a check to avoid having same username and password, as suggested in 18766

avatar brianteeman
brianteeman - comment - 26 Aug 2019

And it would be good to have a check to avoid having same username and password,

As shown that is not as easy as it would seem

avatar jeckodevelopment
jeckodevelopment - comment - 26 Aug 2019

As shown that is not as easy as it would seem

Yes, i know, but still it would be a good improvement

avatar brianteeman
brianteeman - comment - 11 Sep 2019

@roland-d Don't suppose any of your students are interested in taking this on? I'm stuck on client work.

avatar roland-d
roland-d - comment - 11 Sep 2019

@brianteeman I am afraid we are out of time.

avatar brianteeman brianteeman - change - 7 Apr 2020
Status Discussion Closed
Closed_Date 0000-00-00 00:00:00 2020-04-07 17:01:58
Closed_By brianteeman
avatar brianteeman brianteeman - close - 7 Apr 2020

Add a Comment

Login with GitHub to post a comment