Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#30397] - [4.0] Password - Minimum Length

No Code Attached Yet
avatar C-Lodder
C-Lodder
17 Aug 2020

Steps to reproduce the issue

  1. Go to administrator/index.php?option=com_config&view=component&component=com_users
  2. Navigate to the "Password Options" tab
  3. Change the Minimum Length parameter to 7 or below, by typing it in
  4. Click save

Expected result

  • Allow me to set a value below 8

or:

  • Display inline error

or:

  • prevent keystrokes in the field

Actual result

Value defaults back to 12

Additional comments

Having used the input arrows to decrease the number, I can see that 8 is the mimimum.
I dont mind the default as 12, but it should not be up to Joomla to force a minimum length like this....even for development on a localhost.

avatar C-Lodder C-Lodder - open - 17 Aug 2020
avatar joomla-cms-bot joomla-cms-bot - change - 17 Aug 2020
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 17 Aug 2020
avatar Quy
Quy - comment - 17 Aug 2020

Related #30282

avatar roland-d
roland-d - comment - 17 Aug 2020

The issue #30282 is not related, it just uses this feature to show a bug in the system. It could have been any other feature that does form validation.

Issue #29859 is the implementation of this feature.

avatar ceford
ceford - comment - 10 Oct 2020

I think that com_config/src/controller/ComponentController.php needs return false; on line 120.

avatar HLeithner HLeithner - change - 18 Oct 2020
Status New Closed
Closed_Date 0000-00-00 00:00:00 2020-10-18 14:33:06
Closed_By HLeithner
avatar HLeithner HLeithner - close - 18 Oct 2020
avatar HLeithner
HLeithner - comment - 18 Oct 2020

That's expected behavior because 8 chars are the minimum password length. One of the main reasons for this is that even on localhost and especially local development get deployed on live systems.

If you really want a insecure password you have to write a plugin to override the limitation settings.

avatar C-Lodder
C-Lodder - comment - 18 Oct 2020

@HLeithner I don't care if it's expected or not. If you don't allow 7 character passwords, display an inline alert. This is simple UX.
A blind user will have a nightmare trying to fill this form in.

Please re-read the issue. I'm not raising an issue about the actual minimum length required for a password. I'm raising an issue because the page allows you to save a min value that isn't actually allowed, with no warning whatsoever.

avatar HLeithner HLeithner - change - 18 Oct 2020
Status Closed New
Closed_Date 2020-10-18 14:33:06
Closed_By HLeithner
avatar HLeithner
HLeithner - comment - 18 Oct 2020

Ok sorry then the validator should be fixed but I would expect that a screenreader notifies the user about the min and max attributes.

avatar HLeithner HLeithner - reopen - 18 Oct 2020
avatar brianteeman
brianteeman - comment - 18 Oct 2020

#30906 came close to fixing this as it gave the error message but it didnt stop the form also saying it was successfuly saved

avatar Quy
Quy - comment - 19 Nov 2021

Fixed in #31105.

avatar Quy Quy - change - 19 Nov 2021
Status New Closed
Closed_Date 0000-00-00 00:00:00 2021-11-19 22:49:04
Closed_By Quy
Labels Added: No Code Attached Yet
Removed: ?
avatar Quy Quy - close - 19 Nov 2021

Add a Comment

Login with GitHub to post a comment