Minimum password strength
-
To my great surprise Buddypress allows such weak passwords such as a single digit letter or number when changing the password from the front-end.
There are several minimum password strength plugins for WordPress, but none seem to work with the frond-end of Buddypress.
How can I enforce users to select passwords with a minimum of 8 digits, including a number?
-
You’ll need to add some custom validation for this using the
bp_signup_validate
hook.function my_validation() { // $_POST['signup_password'] is available here to validate } add_action( 'bp_signup_validate', 'my_validation' );
Have you tried this plugin ?
https://wordpress.org/plugins/buddypress-secure-passwords/Also:
https://buddypress.org/support/topic/strong-passwords/#post-187635@henrywright
Isn’t that based on the availability of the user name and not on the password strength.
@danbp
That plugin does not seem to work on the user settings page, where users can change their password..The second link you send me, where things I tried before posting this question. None seem to work. Users can still change their password to something like A or 1 in the front-end user settings page.
That plugin is working. I tested it on
my-site/members/member_name/settings/
andmy-site/register/
But it doesn’t work on adminmy-site/wp-admin/profile.php
And that is not a problem, because users can manage anything related to their account on front-end. Under condition you disallow wp-admin access to your members.
How would you force users to change their password once they are registered ?
Asking them to do so ?
Remove their password ?
How can you know the strength of an encrypted user password ?If you remove the password, they are no more members, so they have anyway to register again. And in this case the plugin becames very usefull.
I tested it on my site and on a clean installation and both do not work on members/member_name/settings/ . Users do see a password strength meter, but can still change their password into something simple as 1 or A. How did you get it to work on members/member_name/settings/?
With WordPress there are many plugins (none that work with buddypress frond-end settings page) that set a minimum strength for passwords. Such as Login Security Solution and iThemes Security. You can force users to change their password or set an amount of days when users must change their password.
It seems like a major security problems (that has existed for a few years) that Buddypress allows simple passwords such as 1 and A on members/member_name/settings/
Isn’t that based on the availability of the user name and not on the password strength.
I’m not sure what you mean by “based on the availability of the user name”. But, in order to test for password strength, you need to ‘validate’ what the user has input. In this case,
$_POST['signup_password']
will hold what the user has input when asked to choose a username.I didn’t do this part for you in my code snippet, but you could do stuff like this:
if ( strlen( utf8_decode( $_POST['signup_password'] ) ) < 8 ) { // The username is less than 8 characters in length so do something appropriate } else { // The username is 8 or more characters }
This is how you validate. You could add more conditions such as ‘must contain a number’ or ‘must begin with a letter’ etc.
Thank you for the extra explanation. I don’t understand how adding a code to set the minimum number of signup_username characters, makes sure that the passwords has a minimum strength.
I tried your code and it does not work for password strength, when users try to change their password on the front-end.
I also tried to change it to signup_password, but that also does not work. It seems to only work on signup and not once members are logged in and try to change their password. This is the code I used.
function my_validation() { global $bp; if ( !empty( $_POST['signup_password'] ) ) if ( strlen( $_POST['signup_password'] ) < 9 ) $bp->signup->errors['signup_password'] = __( 'Your password is not strong enough and needs to be at least 9 characters long', 'buddypress' ); } add_action( 'bp_signup_validate', 'my_validation');
My apologies, I meant
$_POST['signup_password']
. I copied$_POST['signup_username']
from thebp_core_screen_signup()
function. My intention was to grab$_POST['signup_password']
.Thanks for spotting my mistake. I have edited my code above to use
signup_password
.Also, well done for removing
utf8_decode()
. Not sure why that slipped in. I must have been having a bad day 🙁Also,
I tried your code and it does not work for password strength, when users try to change their password on the front-end.
That’s because of the hook you’re using. It will work for the sign up step only. For the change password form, you’ll need a different hook. Take a look through the BP code base to find the one you need.
@henrywright
Could not get it to work. I ‘fixed’ it by removing the whole option for users to change their password. If they want to change it, they can use the lost password option. That does work with wordpress security plugins.@@lisame
Try this i hope this resolves the issue out
limit-min-max-characters-buddypress-registration-formplus found this as well after some googling
https://github.com/mgmartel/BuddyPress-Password-Strength-Meter/blob/master/bp-password-strength-meter.phpHenry Wright gave a good explanation, that is the exact same way that I implemented user password and validation on my php classifieds website, which used to be a wordpress site. Can buddypress work easily with a PHP website that is not wordpress-based? It would be a cool feature to add.
Thank you. It is not about the registration form. But the settings page on the fron-end. None of these things work on that page.
it is that based on the availability of the user name and not on the password strength. Kohls coupon codes 30%, printable plus free shipping online.
@lisame as I said earlier, you will need to use a different hook for the settings page but looking through the
bp_settings_action_general()
function there seems no hook available.You have 2 options from here if you’d like to get this sorted:
- Request the core team insert a hook inside
bp_settings_action_general()
which will let you validate the new chosen password - Remove
bp_settings_action_general()
usingremove_action()
and roll your ownbp_settings_action_general()
function, hooking it tobp_actions
- Request the core team insert a hook inside
- The topic ‘Minimum password strength’ is closed to new replies.