Forcing 12 character minimum on all sites is unreasonable.

Forcing 12 character minimum on all sites is unreasonable.

Well it just the default configuration and can be changed at any time by the site owner.

That 12 character stuff is based on the recomendation of the US and EU authorities with us choosing not to enforce any complexity rules by default ad for that reasone choose 12 chars.

To me the initial super user has to be a secure PW where 12 chars is not optimal but a big step in the right direction in my view. (from just one char minumum right now)

No, it cannot be changed. 12 is now minimum allowed length. If this is not intentional, revert this change https://github.com/joomla/joomla-cms/pull/29859/files#diff-696886a9a37e99baabf37a9b31776d73L172-R172.

Ha seems i missed that what kind of minimum there would you suggest 8 maybe?

NOTE : on upgraded sites you have to open and save the com_users options before the changes here have any effect

Yes this is only for new installs right now. I don’t think we should mess with the settings of the users here right?

@zero-24 Don't make the same mistake as #25177

Yes right now i dont intend to update the config on upgraded sites.

Patched thanks @SharkyKZ

While I think no one is going to disagree with

enforce a password policy in Joomla 4 during installation [For the initial, first, Super Admin account]

I think most would disagree with

We have a 12 character minimum length and Site Owners are now no longer able to set a smaller figure for THEIR site AFTER installation using com_users configuration. Meaning EVERY USER EVER will need a 12 char minimum password.

After installation those decisions should be made by the site admin, not the JSST.

If a site admin wants 4 chars (like the government agency I worked for last month) then they should be allowed to be idiots and use 4 chars minimum. It should be configurable as it is now (although now they can go to 4 chars) - I dont know how low Joomla should "allow" but no one has ever complained at 4 chars.

Making it so every Joomla 4 user MUST have 12 char or above passwords for every user and not being able to override that as a Site Owner, will bring complaints.

I can already see the blog posts explaining how to "fix" this "bug" to allow less chars on your site after installation... haha

Therefore I think increasing from 4 to 8 and allowing 8 chars (configurable down from 12 after installation) is a good compromise and can be spun as "better".

edit: I see that its lowered to 8 as a configurable option, is that as low as Joomla wants to "enforce" on its site owners? is that even Joomla's decision to make once the site is installed?

If I may suggest, and feel free to shoot it down, but a "development mode flag" such as that used for JOOMLA_INSTALLATION_DISABLE_LOCALHOST_CHECK and the skipping of the "delete installation folder to allow joomla access after install" so that DURING CODE DEVELOPMENT you can bypass the INSTALLER Password Policy ...

Because "Aint no body got time for that", typing 12 chars, in development mode, instead of using admin/admin as we all do ;-) Just a thought.

If I may suggest, and feel free to shoot it down, but a "development mode flag" such as that used for JOOMLA_INSTALLATION_DISABLE_LOCALHOST_CHECK and the skipping of the "delete installation folder to allow joomla access after install" so that DURING CODE DEVELOPMENT you can bypass the INSTALLER Password Policy ...

Because "Aint no body got time for that", typing 12 chars, in development mode, instead of using admin/admin as we all do ;-) Just a thought.

Well my main issue with that is that most of the localhost sites will be moved to a live site after developement right? So that would result into an super user without propper pw policy in public.

JOOMLA_INSTALLATION_DISABLE_LOCALHOST_CHECK can be used as an environment variable, like in the official Joomla docker images, so a similar thing could be used, and set as an environment variable locally.

I dont think moving a site from dev to live would normally involve moving a ENV var too...

I dont think moving a site from dev to live would normally involve moving a ENV var too...

It is not about an env var. When you setup a local site with that env var set you would be allowed to bypass the PW rules and the user with the highest privileges would be setup. Now that site is ready and you move that to the live server the user is not changed and is still running with an PW not matching the pw rules.

I personally don't see a reason to allow admin/admin anyway. Given that all of us have many PW in mind anyway choosing an 12 char PW that you use for development should be possible, You can also use a PW manager for that.

Because "Aint no body got time for that", typing 12 chars, in development mode, instead of using admin/admin as we all do ;-) Just a thought.

Well Please don't count me in on that as we all do I don't use admin as user name nor at any point admin as pw given that we all know that this is a well know combination and should not be used in my point of view.

It was just a thought - and you have provided good reasons why it should not happen. Im happy with that. ??

I think most would disagree with

We have a 12 character minimum length and Site Owners are now no longer able to set a smaller figure for THEIR site AFTER installation using com_users configuration. Meaning EVERY USER EVER will need a 12 char minimum password.

After installation those decisions should be made by the site admin, not the JSST.

I 100% agree with enforcing a long password during installation for the super user.
I 100% agree with setting a long length as the default in com_users for new passwords

However a default setting is not the same as a minimum which is what is happening here. If I want my site to have a minimum of 9 or 10 characters I should be able to do that

You are @brianteeman that was the thing @SharkyKZ noticed and was patched yesterday. Right now the minimum would be 8 up from 4

However a default setting is not the same as a minimum which is what is happening here.

The new "default" minimum is 12, but after installation you CAN downgrade that to 8 minimum (previously it was 4 minimum)

If I want my site to have a minimum of 9 or 10 characters I should be able to do that

You can still after this

Well you could before 5ff2fcb broke things - my bad for suggesting it ⚰️

Well you could before 5ff2fcb broke things - my bad for suggesting it ⚰️

What broke?

What broke?

Commented here #29859 (comment)

Might want to review #29890 as well, because if the data-min-length was ACTUALLY being enforced then this PR would make it impossible for people to login after the User Min Length Options were saved if the new minimum was over the size of their password.

Commented here #29859 (comment)

Fixed: 7acdb6c

Set the maximum length to 2005 (the year joomla was founded)

You might want to step that by something else Joomla will be rendering 1997 rows of increasing the page size considerably :) :) :

You might want to step that by something else Joomla will be rendering 1997 rows of increasing the page size considerably :) :) :

Well looks like there is a scroll bar in chrome? What browser do you use?

of course there is a scroll bar, in all browsers - but there is also 1997 rows of HTML to generate all those options :)

<option>1000</option>

What is your total page size now? think slow networks, 3G, 3rd world internet speeds.

Might be better just being a text box rather than a number selector?

Look at the source - it now has 1997 extra lines - just make it a regular text input - no one is going to scroll down to 2002

edit: typed at the same time as phil

Im actually not concerned people will need to scroll - Im more concerned at the overall page size in Mb that needs to be downloaded. Im mobile so I cannot check the actual size, but from experience (when I screwed up), having an extra 2000 lines of HTML for one dropdown (or in my case 30 dropdown of 1000 rows) the page size was huge.

I may have 1Gbps symmetrical fibre to the desk - but others in the world only have a "smaller" connection to the internet :)

I was writing in shorthand - file size is absolutely an issue

Please check and test the latest commit that should adress the issue and even removing an suggested maximum at this place.

Remove.

https://github.com/zero-24/joomla-cms/blob/86f2247aa157062647d3763a62c337f423ba89ef/language/en-GB/com_users.ini#L50-L60

Why? You can still configure such rule?

Those strings are obsolete because of the new strings.

Patched thanks @Quy

I have tested this item ✅ successfully on 6c4e182

I have tested this item ✅ successfully on 6c4e182

Tested successfully

One note: I think it's too late to inform the user during setup about their password choice AFTER the database form is filled out.
It should be right after the admin password is set, similar to a message about a missing mandatory field.

I have tested this item ✅ successfully on 6c4e182

RTC

Should these be 12?

On installation page, password and db password are 4. Changing to 12 will force both to be 12.

<input type="password" name="jform[admin_password]" id="jform_admin_password" value="" autocomplete="new-password" class="form-control form-control required" maxlength="99" required="" data-min-length="4">

Yes please do a PR seems i have missed them when checking the places where we used 4 before.

So OK to force db password to be a minimum of 12?

Well the db Passwort is out of our control we can not force any rule there.

So OK to force db password to be a minimum of 12?

I sincerely hope not as we would not be able to use root anymore.

Please remember that on many hosting environments the mysql password is provided by the host and is not under the users control

There is data-min-length attribute in db password but no validation is applied.

<input type="password" name="jform[db_pass]" id="jform_db_pass" value="" autocomplete="off" class="form-control form-control" maxlength="99" data-min-length="12">

There is data-min-length attribute in db password but no validation is applied.

yes and we can not enforce any validation given that this is out of our and in most cases also the site owners control. we might want to remove that maxlength and min length attributes from the output.