Page 1 of 1

Outdated forum password requirements

Posted: Mon Aug 19, 2019 1:42 pm
by Peter Boughton
When registering on the forums just now, the password requirement was:

Password must be between 6 characters and 30 characters long, must contain letters in mixed case and must contain numbers.
Having an upper limit on length is usually a sign of them being stored incorrectly.

Requiring mixed case and numbers is merely security theatre - obviously "Password1" is completely insecure, yet it meets those requirements, whilst "£$*%&*(%$^^£$@*%^&^" was secure (before I posted it), but does not.

A better solution is a password strength meter like zxcvbn which provides a more meaningful measure of security (with optional feedback on detected weaknesses).

Re: Outdated forum password requirements

Posted: Tue Aug 20, 2019 6:15 am
by ooffick

I don't think it would be a big issue, but I have increased the upper limit to 100.

Even if we would implement a password strength meter, phpbb would still enforce a upper and lower limit.

Here is one of the extension we could uwe ... _strength/

Kind regards