change password policy

This forum is for general questions about extensions for Joomla! 3.x.

Moderators: pe7er, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
Thomsterdam
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 149
Joined: Mon Dec 12, 2011 5:55 pm

change password policy

Post by Thomsterdam » Thu Jun 23, 2022 1:39 pm

Hi there,
The organisation that I work for is going to change its password policy. The complexity of the password is going to be this:
at least 10 characters
at least one integer
at least one symbol
at least one letter
The last 5 passwords cannot be reused.

In the core Joomla config it is impossible implement, as these are Joomla's options:
number of integers
number of symbols
number of upper case letters
number of lower case letters

so the option of "minimum of one letter" does not exist. Besides: "The last 5 passwords cannot be reused." cannot be implemented either.

I tried to see if I could make an override, but could not find a component or module to do that.
I also tried to find an extension and tried "FPC - Force Password Complexity for Joomla! 3" (free version) from kubik-rubik.de, but it did not have the option I was looking for.

Is there anyone who can give me a suggestion? An extension? an override? another fix?
(No, changing the policy is not an option, as it is not in my power to change it)

Thanx,

Thom
Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.

User avatar
xplosion
Joomla! Guru
Joomla! Guru
Posts: 712
Joined: Thu Aug 18, 2005 9:18 pm
Location: Rome

Re: change password policy

Post by xplosion » Thu Jun 23, 2022 1:51 pm

Instead of "minimum of one letter" you could use one of these two fields: "Minimum Upper Case" and "Minimum Lower Case".

Did you tried Force password reset plugin ?

Thomsterdam
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 149
Joined: Mon Dec 12, 2011 5:55 pm

Re: change password policy

Post by Thomsterdam » Thu Jun 23, 2022 2:16 pm

hi there,
That wouldn't really work as it forces something that is not the policy. It forces 'an upper case letter' and 'a lower case letter' and the policy is 'any letter', so it would violate the policy.

'Force password reset' is a good plugin to force password reset every x days. Besides it remembers a number of passwords that have been used in the past and prevents them from being used again.

Thanx,


Thom
Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.

gws
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4746
Joined: Tue Aug 23, 2005 1:56 pm
Location: South coast, UK
Contact:

Re: change password policy

Post by gws » Thu Jun 23, 2022 4:06 pm

You could override the language file for "number of lower case letters" to read "at least one letter".

Thomsterdam
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 149
Joined: Mon Dec 12, 2011 5:55 pm

Re: change password policy

Post by Thomsterdam » Thu Jun 23, 2022 4:49 pm

Hi there,
A language override is not going to change the underlying policy, is it?

Thom
Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.

gws
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4746
Joined: Tue Aug 23, 2005 1:56 pm
Location: South coast, UK
Contact:

Re: change password policy

Post by gws » Thu Jun 23, 2022 5:23 pm

As far as I can see it will comply with your requirements?
at least 10 characters yes
at least one integer yes
at least one symbol yes
at least one letter yes
and you can set the number of characters.
So what is your problem?

Thomsterdam
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 149
Joined: Mon Dec 12, 2011 5:55 pm

Re: change password policy

Post by Thomsterdam » Thu Jun 23, 2022 5:41 pm

Hi there,
I have just noticed: I posted the message in the Joomla 4 forum, but I am running a Joomla 3 website. So I have reposted the message in the Joomla 3 forum.

Sorry,

Thom
Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.

Thomsterdam
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 149
Joined: Mon Dec 12, 2011 5:55 pm

change password policy

Post by Thomsterdam » Thu Jun 23, 2022 7:35 pm

Hi there,
The organisation that I work for is going to change its password policy. The complexity of the password is going to be this:
at least 10 characters
at least one integer
at least one symbol
at least one letter
The last 5 passwords cannot be reused.

In the core Joomla config it is impossible implement, as these are Joomla's options:
number of integers
number of symbols
number of upper case letters
number of lower case letters

so the option of "minimum of one letter" does not exist. Besides: "The last 5 passwords cannot be reused." cannot be implemented either.

I tried to see if I could make an override, but could not find a component or module to do that.
I also tried to find an extension and tried "FPC - Force Password Complexity for Joomla! 3" (free version) from kubik-rubik.de, but it did not have the option I was looking for.

Is there anyone who can give me a suggestion? An extension? an override? another fix?
(No, changing the policy is not an option, as it is not in my power to change it)

Thanx,

Thom
Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 29094
Joined: Mon Oct 27, 2008 9:27 pm
Location: Romerike, Norway

Re: change password policy

Post by Per Yngve Berg » Thu Jun 23, 2022 8:42 pm

Mod. Note: Your two topics about the subjekt have been merged .

Thomsterdam
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 149
Joined: Mon Dec 12, 2011 5:55 pm

Re: change password policy

Post by Thomsterdam » Thu Jun 23, 2022 8:46 pm

Thank you Per Yngve.
Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.

Thomsterdam
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 149
Joined: Mon Dec 12, 2011 5:55 pm

Re: change password policy

Post by Thomsterdam » Fri Jun 24, 2022 7:21 am

gws wrote:
Thu Jun 23, 2022 5:23 pm
As far as I can see it will comply with your requirements?
at least 10 characters yes
at least one integer yes
at least one symbol yes
at least one letter yes
and you can set the number of characters.
So what is your problem?
Hi there,
Please, explain.

As a super user, I can set the number of integers, symbols, upper case letters and lower case letters. This is done in the back end at Users > Manage > Options button on the right > tab Password Options.
So as soon as I fill in the numbers there, it will enforce that in the front end for the users who want to log in. I cannot instruct Joomla to look for 'any letter', because Joomla forces me to choose a number of upper case and/or lower case letters.

Making a language override has no effect on the script that Joomla uses to enforce the policy, does it? Perhaps I don't understand you and am I missing your point, but please explain it to me in simple steps.

Cheers.

Thom
Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.

gws
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4746
Joined: Tue Aug 23, 2005 1:56 pm
Location: South coast, UK
Contact:

Re: change password policy

Post by gws » Fri Jun 24, 2022 9:25 am

In the first screenshot I used a password without any characters.
Second one how users are configured
third language overide can display whatever message you want File is EN.GB.com_users,ini line 57 ish.


passmessage.jpg
config.jpg
languagefile.jpg
You do not have the required permissions to view the files attached to this post.

Thomsterdam
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 149
Joined: Mon Dec 12, 2011 5:55 pm

Re: change password policy

Post by Thomsterdam » Fri Jun 24, 2022 2:03 pm

Hi there,
So what you are doing is forcing one lower case letter and no upper case letter (image 2). This means that if they don't use a lower case letter, the system will not approve the password. If they use an upper case letter and no lower case, the system will not accept it.

My organisation's password policy is that they can use any letter, upper case or lower case, i.e. if they use an upper case letter and no lower case, it should be accepted and in your configuration it is not. So I don't see how your idea is going to enforce our policy.

Thom
Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.

gws
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4746
Joined: Tue Aug 23, 2005 1:56 pm
Location: South coast, UK
Contact:

Re: change password policy

Post by gws » Fri Jun 24, 2022 3:25 pm

If they use an upper case letter then its accepted but will tell them they have to use a lower case one as well if they use lower case it will just work, much better to force both IMO. I thought this was a security measure,not an exercise in semantics.It seems to me the policy is flawed.... What it doesn't address is the can not use the same password x 5,that you will find will be extremely difficult / expensive (custom coding) to apply. Good luck.

Thomsterdam
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 149
Joined: Mon Dec 12, 2011 5:55 pm

Re: change password policy

Post by Thomsterdam » Sat Jun 25, 2022 1:10 pm

So basically what you are saying is, that enforcing the password policy as I described is not possible.
Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.

gws
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4746
Joined: Tue Aug 23, 2005 1:56 pm
Location: South coast, UK
Contact:

Re: change password policy

Post by gws » Sat Jun 25, 2022 1:17 pm

Not without some serious custom coding. Just think of what you would require to store the last 5 passwords (must be secure obviously),then compare new to old 5 passwords.

Thomsterdam
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 149
Joined: Mon Dec 12, 2011 5:55 pm

Re: change password policy

Post by Thomsterdam » Sat Jun 25, 2022 1:40 pm

The issue of the 5 last passwords was solved by using the plugin ‘Force password reset’ as I indicated above:
Thomsterdam wrote:
Thu Jun 23, 2022 2:16 pm
'Force password reset' is a good plugin to force password reset every x days. Besides it remembers a number of passwords that have been used in the past and prevents them from being used again.
The issue of the forcing the use of at least one letter (the choice of upper case or lower case being up to the user) has not been solved (yet).

Thom
Give a man a fish and you feed him for a day;
teach a man to fish and you feed him for a lifetime.


Post Reply

Return to “Extensions for Joomla! 3.x”