I noticed on new versions of Joomla that the password creation
rules have gotten more complex. The passwords now need to be:
"No spaces, more than 6 characters and contain 0-9,a-z,A-Z."
I don't want to burden my users with long passwords.
Is there any setting to relax the password rules?
SOLVED - Setting to relax the password rules?
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- Kohmaru
- Joomla! Apprentice
- Posts: 32
- Joined: Fri May 12, 2006 3:20 pm
SOLVED - Setting to relax the password rules?
Last edited by Kohmaru on Sun Mar 02, 2008 1:42 pm, edited 1 time in total.
-
- Joomla! Enthusiast
- Posts: 234
- Joined: Wed Feb 20, 2008 8:59 am
Re: Setting to relax the password rules?
This is the "security" category and you ask for "insecurity". So maybe better ask in "general"?
BTW: As far as I can see, this does not mean: MUST CONTAIN AT LEAST, but instead means '"CAN ONLY CONTAIN".
Means "PASSWORD" is a valid password.
As far as I can see, the code (in form.php) is:
That one only checks for "illegal" chars. I wonder why they are forbidden? I wonder why they do a check against a list of forbidden chars and not against allowed chars?
BTW: As far as I can see, this does not mean: MUST CONTAIN AT LEAST, but instead means '"CAN ONLY CONTAIN".
Means "PASSWORD" is a valid password.
As far as I can see, the code (in form.php) is:
Code: Select all
var r = new RegExp("[\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-]", "i");
(...)
} else if (r.exec(form.password.value)) {
alert( "<?php printf( JText::_( 'VALID_AZ09', true ), JText::_( 'Password', true ), 4 );?>" );
- Beat
- Joomla! Guru
- Posts: 840
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: Setting to relax the password rules?
Did somebody notice that in Joomla User Edit password length requirement is only 4 chars instead of 6 (verified it !) : see reason in the code above...
Reported corresponding security bug here with backlink to this thread:
http://joomlacode.org/gf/project/joomla ... m_id=10008
Reported corresponding security bug here with backlink to this thread:
http://joomlacode.org/gf/project/joomla ... m_id=10008
Beat 
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
-
- Joomla! Enthusiast
- Posts: 234
- Joined: Wed Feb 20, 2008 8:59 am
Re: Setting to relax the password rules?
I was wondering if ",4" might be correct, but I'm in no way an expert in regex ...Did somebody notice

Since they are only checking against forbidden chars, passwords containing german umlauts (for example) aren't a problem, though it clearly says a-Z and 0-9.
As said, I'm no regex expoert, but I'd change it to check for length and with regex simply "eat" all allowed chars. If something remains, it must be forbidden

- Beat
- Joomla! Guru
- Posts: 840
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: Setting to relax the password rules?
Actually the regex is only forbidding those characters in there.
While i can understand this for usernames, i don't see the reason to restrict characters in passwords. I checked the PHP code of 1.5.1 for that, and the php code accepts and handles correctly any character.
So that Javascript regex could be removed from registrations.
As a matter of fact, in user profile updates, it's not in there at all, and the only check is in PHP for checking that password length is 4 characters. In the JS-mootools frontend it's 2 characters even if i remember.
Wierd.
While i can understand this for usernames, i don't see the reason to restrict characters in passwords. I checked the PHP code of 1.5.1 for that, and the php code accepts and handles correctly any character.
So that Javascript regex could be removed from registrations.
As a matter of fact, in user profile updates, it's not in there at all, and the only check is in PHP for checking that password length is 4 characters. In the JS-mootools frontend it's 2 characters even if i remember.
Wierd.
Beat 
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
- Kohmaru
- Joomla! Apprentice
- Posts: 32
- Joined: Fri May 12, 2006 3:20 pm
Re: Setting to relax the password rules?
I do not understand what you guys are talking about, but I will take that as a "No".
I think its a bother that I can't use 123456 as a password on test installs. I can't even use 1234567, it has to be mixed with letters.
Thanks anyway.
I think its a bother that I can't use 123456 as a password on test installs. I can't even use 1234567, it has to be mixed with letters.
Thanks anyway.
-
- Joomla! Enthusiast
- Posts: 234
- Joined: Wed Feb 20, 2008 8:59 am
Re: SOLVED - Setting to relax the password rules?
Just tested with 1.5.1 : Using 1234 as password is accepted.I think its a bother that I can't use 123456 as a password on test installs