SOLVED - Setting to relax the password rules?

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
Kohmaru
Joomla! Apprentice
Joomla! Apprentice
Posts: 32
Joined: Fri May 12, 2006 3:20 pm

SOLVED - Setting to relax the password rules?

Post by Kohmaru » Sat Mar 01, 2008 4:44 pm

I noticed on new versions of Joomla that the password creation
rules have gotten more complex. The passwords now need to be:
"No spaces, more than 6 characters and contain 0-9,a-z,A-Z."
I don't want to burden my users with long passwords.
Is there any setting to relax the password rules?
Last edited by Kohmaru on Sun Mar 02, 2008 1:42 pm, edited 1 time in total.

igrimpe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 234
Joined: Wed Feb 20, 2008 8:59 am

Re: Setting to relax the password rules?

Post by igrimpe » Sat Mar 01, 2008 5:09 pm

This is the "security" category and you ask for "insecurity". So maybe better ask in "general"?

BTW: As far as I can see, this does not mean: MUST CONTAIN AT LEAST, but instead means '"CAN ONLY CONTAIN".
Means "PASSWORD" is a valid password.

As far as I can see, the code (in form.php) is:

Code: Select all

var r = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-]", "i");
(...)
} else if (r.exec(form.password.value)) {
		alert( "<?php printf( JText::_( 'VALID_AZ09', true ), JText::_( 'Password', true ), 4 );?>" );
That one only checks for "illegal" chars. I wonder why they are forbidden? I wonder why they do a check against a list of forbidden chars and not against allowed chars?

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: Setting to relax the password rules?

Post by Beat » Sun Mar 02, 2008 10:33 am

Did somebody notice that in Joomla User Edit password length requirement is only 4 chars instead of 6 (verified it !) : see reason in the code above...

Reported corresponding security bug here with backlink to this thread:

http://joomlacode.org/gf/project/joomla ... m_id=10008
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

igrimpe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 234
Joined: Wed Feb 20, 2008 8:59 am

Re: Setting to relax the password rules?

Post by igrimpe » Sun Mar 02, 2008 12:05 pm

Did somebody notice
I was wondering if ",4" might be correct, but I'm in no way an expert in regex ... ;)

Since they are only checking against forbidden chars, passwords containing german umlauts (for example) aren't a problem, though it clearly says a-Z and 0-9.

As said, I'm no regex expoert, but I'd change it to check for length and with regex simply "eat" all allowed chars. If something remains, it must be forbidden ;)

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: Setting to relax the password rules?

Post by Beat » Sun Mar 02, 2008 12:12 pm

Actually the regex is only forbidding those characters in there.

While i can understand this for usernames, i don't see the reason to restrict characters in passwords. I checked the PHP code of 1.5.1 for that, and the php code accepts and handles correctly any character.

So that Javascript regex could be removed from registrations.

As a matter of fact, in user profile updates, it's not in there at all, and the only check is in PHP for checking that password length is 4 characters. In the JS-mootools frontend it's 2 characters even if i remember.

Wierd.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

User avatar
Kohmaru
Joomla! Apprentice
Joomla! Apprentice
Posts: 32
Joined: Fri May 12, 2006 3:20 pm

Re: Setting to relax the password rules?

Post by Kohmaru » Sun Mar 02, 2008 1:41 pm

I do not understand what you guys are talking about, but I will take that as a "No".
I think its a bother that I can't use 123456 as a password on test installs. I can't even use 1234567, it has to be mixed with letters.

Thanks anyway.

igrimpe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 234
Joined: Wed Feb 20, 2008 8:59 am

Re: SOLVED - Setting to relax the password rules?

Post by igrimpe » Sun Mar 02, 2008 2:34 pm

I think its a bother that I can't use 123456 as a password on test installs
Just tested with 1.5.1 : Using 1234 as password is accepted.


Locked

Return to “Security in Joomla! 1.5”