Skip to:
Content
Pages
Categories
Search
Top
Bottom

Minimum password strength


  • Lisa
    Participant

    @lisame

    To my great surprise Buddypress allows such weak passwords such as a single digit letter or number when changing the password from the front-end.

    There are several minimum password strength plugins for WordPress, but none seem to work with the frond-end of Buddypress.

    How can I enforce users to select passwords with a minimum of 8 digits, including a number?

Viewing 18 replies - 1 through 18 (of 18 total)

  • Henry Wright
    Moderator

    @henrywright

    You’ll need to add some custom validation for this using the bp_signup_validate hook.

    function my_validation() {
        // $_POST['signup_password'] is available here to validate
    }
    add_action( 'bp_signup_validate', 'my_validation' );

    danbp
    Participant

    @danbp


    Lisa
    Participant

    @lisame

    @henrywright
    Isn’t that based on the availability of the user name and not on the password strength.


    @danbp

    That plugin does not seem to work on the user settings page, where users can change their password..

    The second link you send me, where things I tried before posting this question. None seem to work. Users can still change their password to something like A or 1 in the front-end user settings page.


    danbp
    Participant

    @danbp

    That plugin is working. I tested it on my-site/members/member_name/settings/ and my-site/register/ But it doesn’t work on admin my-site/wp-admin/profile.php

    And that is not a problem, because users can manage anything related to their account on front-end. Under condition you disallow wp-admin access to your members.

    How would you force users to change their password once they are registered ?

    Asking them to do so ?
    Remove their password ?
    How can you know the strength of an encrypted user password ?

    If you remove the password, they are no more members, so they have anyway to register again. And in this case the plugin becames very usefull.


    Lisa
    Participant

    @lisame

    I tested it on my site and on a clean installation and both do not work on members/member_name/settings/ . Users do see a password strength meter, but can still change their password into something simple as 1 or A. How did you get it to work on members/member_name/settings/?

    With WordPress there are many plugins (none that work with buddypress frond-end settings page) that set a minimum strength for passwords. Such as Login Security Solution and iThemes Security. You can force users to change their password or set an amount of days when users must change their password.

    It seems like a major security problems (that has existed for a few years) that Buddypress allows simple passwords such as 1 and A on members/member_name/settings/


    Henry Wright
    Moderator

    @henrywright

    Isn’t that based on the availability of the user name and not on the password strength.

    I’m not sure what you mean by “based on the availability of the user name”. But, in order to test for password strength, you need to ‘validate’ what the user has input. In this case, $_POST['signup_password'] will hold what the user has input when asked to choose a username.

    I didn’t do this part for you in my code snippet, but you could do stuff like this:

    if ( strlen( utf8_decode( $_POST['signup_password'] ) ) < 8 ) {
        // The username is less than 8 characters in length so do something appropriate
    } else {
        // The username is 8 or more characters
    }

    This is how you validate. You could add more conditions such as ‘must contain a number’ or ‘must begin with a letter’ etc.


    Lisa
    Participant

    @lisame

    @henrywright

    Thank you for the extra explanation. I don’t understand how adding a code to set the minimum number of signup_username characters, makes sure that the passwords has a minimum strength.


    Lisa
    Participant

    @lisame


    @henrywright

    I tried your code and it does not work for password strength, when users try to change their password on the front-end.

    I also tried to change it to signup_password, but that also does not work. It seems to only work on signup and not once members are logged in and try to change their password. This is the code I used.

    function my_validation() {
     global $bp;
    
     if ( !empty( $_POST['signup_password'] ) )
       if ( strlen( $_POST['signup_password'] ) < 9 )
        $bp->signup->errors['signup_password'] = __( 'Your password is not strong enough and needs to be at least 9 characters long', 'buddypress' );  
     }
     add_action( 'bp_signup_validate', 'my_validation');

    Henry Wright
    Moderator

    @henrywright

    My apologies, I meant $_POST['signup_password']. I copied $_POST['signup_username'] from the bp_core_screen_signup() function. My intention was to grab $_POST['signup_password'].

    Thanks for spotting my mistake. I have edited my code above to use signup_password.


    Henry Wright
    Moderator

    @henrywright

    Also, well done for removing utf8_decode(). Not sure why that slipped in. I must have been having a bad day 🙁


    Henry Wright
    Moderator

    @henrywright

    Also,

    I tried your code and it does not work for password strength, when users try to change their password on the front-end.

    That’s because of the hook you’re using. It will work for the sign up step only. For the change password form, you’ll need a different hook. Take a look through the BP code base to find the one you need.


    Lisa
    Participant

    @lisame

    @henrywright
    Could not get it to work. I ‘fixed’ it by removing the whole option for users to change their password. If they want to change it, they can use the lost password option. That does work with wordpress security plugins.


    Security
    Participant

    @shivam-kumar

    @@lisame
    Try this i hope this resolves the issue out
    limit-min-max-characters-buddypress-registration-form


    Security
    Participant

    @shivam-kumar


    mase857
    Participant

    @mase857

    Henry Wright gave a good explanation, that is the exact same way that I implemented user password and validation on my php classifieds website, which used to be a wordpress site. Can buddypress work easily with a PHP website that is not wordpress-based? It would be a cool feature to add.


    Lisa
    Participant

    @lisame

    Thank you. It is not about the registration form. But the settings page on the fron-end. None of these things work on that page.


    kohlscouponz
    Participant

    @kohlscouponz

    it is that based on the availability of the user name and not on the password strength. Kohls coupon codes 30%, printable plus free shipping online.


    Henry Wright
    Moderator

    @henrywright

    @lisame as I said earlier, you will need to use a different hook for the settings page but looking through the bp_settings_action_general() function there seems no hook available.

    You have 2 options from here if you’d like to get this sorted:

    1. Request the core team insert a hook inside bp_settings_action_general() which will let you validate the new chosen password
    2. Remove bp_settings_action_general() using remove_action() and roll your own bp_settings_action_general() function, hooking it to bp_actions
Viewing 18 replies - 1 through 18 (of 18 total)
  • The topic ‘Minimum password strength’ is closed to new replies.
Skip to toolbar