change password policy

Thomsterdam · Post by **Thomsterdam** » Thu Jun 23, 2022 1:39 pm

Hi there,
The organisation that I work for is going to change its password policy. The complexity of the password is going to be this:
at least 10 characters
at least one integer
at least one symbol
at least one letter
The last 5 passwords cannot be reused.

In the core Joomla config it is impossible implement, as these are Joomla's options:
number of integers
number of symbols
number of upper case letters
number of lower case letters

so the option of "minimum of one letter" does not exist. Besides: "The last 5 passwords cannot be reused." cannot be implemented either.

I tried to see if I could make an override, but could not find a component or module to do that.
I also tried to find an extension and tried "FPC - Force Password Complexity for Joomla! 3" (free version) from kubik-rubik.de, but it did not have the option I was looking for.

Is there anyone who can give me a suggestion? An extension? an override? another fix?
(No, changing the policy is not an option, as it is not in my power to change it)

Thanx,

Thom

xplosion · Post by **xplosion** » Thu Jun 23, 2022 1:51 pm

Instead of "minimum of one letter" you could use one of these two fields: "Minimum Upper Case" and "Minimum Lower Case".

Did you tried Force password reset plugin ?

Thomsterdam · Post by **Thomsterdam** » Thu Jun 23, 2022 2:16 pm

hi there,
That wouldn't really work as it forces something that is not the policy. It forces 'an upper case letter' and 'a lower case letter' and the policy is 'any letter', so it would violate the policy.

'Force password reset' is a good plugin to force password reset every x days. Besides it remembers a number of passwords that have been used in the past and prevents them from being used again.

Thanx,

Thom

gws · Post by **gws** » Thu Jun 23, 2022 4:06 pm

You could override the language file for "number of lower case letters" to read "at least one letter".

Thomsterdam · Post by **Thomsterdam** » Thu Jun 23, 2022 4:49 pm

Hi there,
A language override is not going to change the underlying policy, is it?

Thom

gws · Post by **gws** » Thu Jun 23, 2022 5:23 pm

As far as I can see it will comply with your requirements?
at least 10 characters yes
at least one integer yes
at least one symbol yes
at least one letter yes
and you can set the number of characters.
So what is your problem?

Thomsterdam · Post by **Thomsterdam** » Thu Jun 23, 2022 5:41 pm

Hi there,
I have just noticed: I posted the message in the Joomla 4 forum, but I am running a Joomla 3 website. So I have reposted the message in the Joomla 3 forum.

Sorry,

Thom

Thomsterdam · Post by **Thomsterdam** » Thu Jun 23, 2022 7:35 pm

Hi there,
The organisation that I work for is going to change its password policy. The complexity of the password is going to be this:
at least 10 characters
at least one integer
at least one symbol
at least one letter
The last 5 passwords cannot be reused.

In the core Joomla config it is impossible implement, as these are Joomla's options:
number of integers
number of symbols
number of upper case letters
number of lower case letters

so the option of "minimum of one letter" does not exist. Besides: "The last 5 passwords cannot be reused." cannot be implemented either.

I tried to see if I could make an override, but could not find a component or module to do that.
I also tried to find an extension and tried "FPC - Force Password Complexity for Joomla! 3" (free version) from kubik-rubik.de, but it did not have the option I was looking for.

Is there anyone who can give me a suggestion? An extension? an override? another fix?
(No, changing the policy is not an option, as it is not in my power to change it)

Thanx,

Thom

Post by **Per Yngve Berg** » Thu Jun 23, 2022 8:42 pm

Mod. Note: Your two topics about the subjekt have been merged .

Thomsterdam · Post by **Thomsterdam** » Thu Jun 23, 2022 8:46 pm

Thank you Per Yngve.

Thomsterdam · Post by **Thomsterdam** » Fri Jun 24, 2022 7:21 am

gws wrote: ↑
Thu Jun 23, 2022 5:23 pm
As far as I can see it will comply with your requirements?
at least 10 characters yes
at least one integer yes
at least one symbol yes
at least one letter yes
and you can set the number of characters.
So what is your problem?

Hi there,
Please, explain.

As a super user, I can set the number of integers, symbols, upper case letters and lower case letters. This is done in the back end at Users > Manage > Options button on the right > tab Password Options.
So as soon as I fill in the numbers there, it will enforce that in the front end for the users who want to log in. I cannot instruct Joomla to look for 'any letter', because Joomla forces me to choose a number of upper case and/or lower case letters.

Making a language override has no effect on the script that Joomla uses to enforce the policy, does it? Perhaps I don't understand you and am I missing your point, but please explain it to me in simple steps.

Cheers.

Thom

gws · Post by **gws** » Fri Jun 24, 2022 9:25 am

In the first screenshot I used a password without any characters.
Second one how users are configured
third language overide can display whatever message you want File is EN.GB.com_users,ini line 57 ish.

passmessage.jpg

config.jpg

languagefile.jpg

Thomsterdam · Post by **Thomsterdam** » Fri Jun 24, 2022 2:03 pm

Hi there,
So what you are doing is forcing one lower case letter and no upper case letter (image 2). This means that if they don't use a lower case letter, the system will not approve the password. If they use an upper case letter and no lower case, the system will not accept it.

My organisation's password policy is that they can use any letter, upper case or lower case, i.e. if they use an upper case letter and no lower case, it should be accepted and in your configuration it is not. So I don't see how your idea is going to enforce our policy.

Thom

gws · Post by **gws** » Fri Jun 24, 2022 3:25 pm

If they use an upper case letter then its accepted but will tell them they have to use a lower case one as well if they use lower case it will just work, much better to force both IMO. I thought this was a security measure,not an exercise in semantics.It seems to me the policy is flawed.... What it doesn't address is the can not use the same password x 5,that you will find will be extremely difficult / expensive (custom coding) to apply. Good luck.

Thomsterdam · Post by **Thomsterdam** » Sat Jun 25, 2022 1:10 pm

So basically what you are saying is, that enforcing the password policy as I described is not possible.

gws · Post by **gws** » Sat Jun 25, 2022 1:17 pm

Not without some serious custom coding. Just think of what you would require to store the last 5 passwords (must be secure obviously),then compare new to old 5 passwords.

Thomsterdam · Post by **Thomsterdam** » Sat Jun 25, 2022 1:40 pm

The issue of the 5 last passwords was solved by using the plugin ‘Force password reset’ as I indicated above:

Thomsterdam wrote: ↑
Thu Jun 23, 2022 2:16 pm
'Force password reset' is a good plugin to force password reset every x days. Besides it remembers a number of passwords that have been used in the past and prevents them from being used again.

The issue of the forcing the use of at least one letter (the choice of upper case or lower case being up to the user) has not been solved (yet).

Thom

The Joomla! Forum™