[#43484] - [5.2] Password Strength Symbols
- Fixed in Code Base
- 22 May 2024
- Medium
- Build: 5.2-dev
- # 43484
- Diff
- brianteeman:password_strength
- Pending continuous-integration/drone/pr Build is pending Details
User tests: Successful: Unsuccessful:
The script used to check for symbols in a password contains a limited set of symbols.
Pull Request for Issue #41552 .
Summary of Changes
This PR updates the script to ensure that all of the the list of special characters/symbols provided by OWASP are also included. They are the punctuation characters that are present on standard US keyboard.
The entire set of special characters/symbols is now @$!#?=;:*-_€%&()`´+[]{}'"|,.<>/~^
I added the additional comment to the licence so that it is clear that the script has been changed from the original which probably should have been done earlier when the regex was updated to include @
Testing Instructions
This change will require using a prebuilt package or npm ci to test
Set the password requirements in the User Options Password Minimum Symbols to 1
Try to create a password containing letters and one or more symbols from this list
+[]{}'"|,.<>/~^
Actual result BEFORE applying this Pull Request
The password will be rejected
Expected result AFTER applying this Pull Request
The password will be accepted
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | JavaScript Repository NPM Change |
| Labels |
Added:
NPM Resource Changed
PR-5.2-dev
|
||
I have tested this item ✅ successfully on 388d8e3
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43484.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43484.
| Labels |
Added:
RTC
|
||
Please fix javascript cs https://ci.joomla.org/joomla/joomla-cms/76291/1/20
i will not be at a pc for the foreseeable future - feel free to update it directly
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2024-05-22 11:32:25 |
| Closed_By | ⇒ | pe7er |
Thank you @brianteeman and @Quy !
The symbol "_" is not correctly recognized as a sybmol, so password "0123456789_Aa" is incorrect and throw error that mininum 1 special character (symbol) is required (only after registration form submit). Progress bar is green while paste password. Can You fix that ?
@MaverickPOZ please do not comment on closed PR - hardly anyone will see it. Please create a new issue
Default installation shows 0 in Password Options->Minimum Symbols
And so what ? This is default ... Please put 1 in that field and use _ in password.
https://docs.joomla.org/J5.x:Enhancing_Password_Security_with_Symbolic_Characters#Additional_Notes
This change applies to all Joomla 5.2 installations. Administrators should ensure that the password requirements are updated in the configuration to take full advantage of the enhanced security features.
For the end-user enable by default would be better option
Ivan, I have fresh J5.2 and nothing change - please provide password with symbol _ "TestPassword123With_" at https://demo.webster-studio.pl/login?view=registration - the bar is green but after submit form the error with "no symbol" appear.
This is a separate issue. The client side password has passed validation there but the server side uses this:
$nsymbols = preg_match_all('[\W]', $value, $smatch);
on line 133 of libraries/src/Form/Rule/PasswordRule.php - I think underline does not count as a non-word character.
I have tested this item ✅ successfully on 388d8e3
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43484.