SOLVED - Setting to relax the password rules?

Kohmaru · Post by **Kohmaru** » Sat Mar 01, 2008 4:44 pm

I noticed on new versions of Joomla that the password creation
rules have gotten more complex. The passwords now need to be:
"No spaces, more than 6 characters and contain 0-9,a-z,A-Z."
I don't want to burden my users with long passwords.
Is there any setting to relax the password rules?

igrimpe · Post by **igrimpe** » Sat Mar 01, 2008 5:09 pm

This is the "security" category and you ask for "insecurity". So maybe better ask in "general"?

BTW: As far as I can see, this does not mean: MUST CONTAIN AT LEAST, but instead means '"CAN ONLY CONTAIN".
Means "PASSWORD" is a valid password.

As far as I can see, the code (in form.php) is:

Code: Select all

var r = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-]", "i");
(...)
} else if (r.exec(form.password.value)) {
		alert( "<?php printf( JText::_( 'VALID_AZ09', true ), JText::_( 'Password', true ), 4 );?>" );

That one only checks for "illegal" chars. I wonder why they are forbidden? I wonder why they do a check against a list of forbidden chars and not against allowed chars?

Post by **Beat** » Sun Mar 02, 2008 10:33 am

Did somebody notice that in Joomla User Edit password length requirement is only 4 chars instead of 6 (verified it !) : see reason in the code above...

Reported corresponding security bug here with backlink to this thread:

http://joomlacode.org/gf/project/joomla ... m_id=10008

igrimpe · Post by **igrimpe** » Sun Mar 02, 2008 12:05 pm

Did somebody notice

I was wondering if ",4" might be correct, but I'm in no way an expert in regex ...

Since they are only checking against forbidden chars, passwords containing german umlauts (for example) aren't a problem, though it clearly says a-Z and 0-9.

As said, I'm no regex expoert, but I'd change it to check for length and with regex simply "eat" all allowed chars. If something remains, it must be forbidden

Post by **Beat** » Sun Mar 02, 2008 12:12 pm

Actually the regex is only forbidding those characters in there.

While i can understand this for usernames, i don't see the reason to restrict characters in passwords. I checked the PHP code of 1.5.1 for that, and the php code accepts and handles correctly any character.

So that Javascript regex could be removed from registrations.

As a matter of fact, in user profile updates, it's not in there at all, and the only check is in PHP for checking that password length is 4 characters. In the JS-mootools frontend it's 2 characters even if i remember.

Wierd.

Kohmaru · Post by **Kohmaru** » Sun Mar 02, 2008 1:41 pm

I do not understand what you guys are talking about, but I will take that as a "No".
I think its a bother that I can't use 123456 as a password on test installs. I can't even use 1234567, it has to be mixed with letters.

Thanks anyway.

igrimpe · Post by **igrimpe** » Sun Mar 02, 2008 2:34 pm

I think its a bother that I can't use 123456 as a password on test installs

Just tested with 1.5.1 : Using 1234 as password is accepted.

The Joomla! Forum™

SOLVED - Setting to relax the password rules?

SOLVED - Setting to relax the password rules?

Re: Setting to relax the password rules?

Re: Setting to relax the password rules?

Re: Setting to relax the password rules?

Re: Setting to relax the password rules?

Re: Setting to relax the password rules?

Re: SOLVED - Setting to relax the password rules?