WordPress.org

Ready to get started?Download WordPress

Forums

Login Security Solution
[resolved] Password Strength settings (19 posts)

  1. andi-bambeck
    Member
    Posted 1 year ago #

    We have a client that requires the password complexity to not be so strong. This has probably been suggested before, but could there be the option for each rule with a series of tick boxes?

    • Minimum length (customizable)
    • Doesn't match blog info
    • Doesn't match user data
    • Must either have numbers, punctuation, upper and lower case characters or be very long. Note: alphabets with only one case (e.g. Arabic, Hebrew, etc.) are automatically exempted from the upper/lower case requirement.
    • Non-sequential codepoints
    • Non-sequential keystrokes (custom sequence files can be added)
    • Not in the password dictionary files you've provided (if any)
    • Decodes "leet" speak
    • The password/phrase is not found by the dict dictionary program (if available)

    I would expect this would be a welcomed feature and would also mean we wouldn't need to look for an alternative solution.

    http://wordpress.org/extend/plugins/login-security-solution/

  2. spectrus
    Member
    Posted 1 year ago #

    Agreed, ease of use needs to come before security at times. Good suggestion.

    By the way, the plugin code is on github, so one could always fork it and make the necessary adjustments.

  3. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    I'll think about it (some more).

  4. GermanKiwi
    Member
    Posted 1 year ago #

    Hi, I'd like to add my vote to one aspect of this request: the ability to set the "Length" of the password (in the Password Policies section) to something less than 10, which is the current minimum length which this plugin allows.

    For me personally, a minimum length of 8 characters is sufficient on my site - 10 characters is too long.

    In any case, I think this should be something for the administrator (ie. me) to determine, and not have it forced on my by this (excellent, very useful) plugin. :)

  5. hccdev
    Member
    Posted 1 year ago #

    I would also like to see more password strength options. While the complexity is nice, some clients don't want that much strength.

  6. rypo73
    Member
    Posted 1 year ago #

    I have been in a tussle with 150 members on our site who find the password security features too onerous given what information we're 'protecting', so I too would value a greater degree of flexibility.

  7. d4ny
    Member
    Posted 1 year ago #

    yes i'd like that too! There are some clients out there where a password length <10 would be sufficient...

    also just letters/numbers... most of my clients do not like "." in their pass phrases :)

    THANKS FOR THIS GREAT PLUGIN!

  8. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    the password security features [are] too onerous given what information we're 'protecting'

    The _vast_ majority of malware (etc) is spread via legitimate websites that have been compromised. Enforcing password strength is not about protecting your site's data, it's about protecting everyone on the Internet.

  9. GermanKiwi
    Member
    Posted 1 year ago #

    That's very true. But a minimum length of 10 characters is still overkill for most users, and for protecting against compromise. Eight characters is generally sufficient for most, and this is what WordPress itself uses for its "medium" password security level.

    In any case, I think it's best when the administrators themselves can determine this based on their own security policies. The best solution would be for the plugin to default to 10 characters, and stay at 10 unless the admin chooses to override it. You could also add a warning, big flashing red letters etc to make sure the admin is aware of the consequences. :)

  10. GermanKiwi
    Member
    Posted 1 year ago #

    ...An effectively strong password, which is resistant against hacking, could only need 8 characters as long as it is made up of a good mix of upper case, lower case and numbers/symbols.

  11. GermanKiwi
    Member
    Posted 1 year ago #

    ...And leading websites like Google, Facebook, Microsoft, etc etc, allow for 8-character passwords too.

  12. samuel.hautcoeur
    Member
    Posted 12 months ago #

    One more vote for that. I'm working on a project with very precise security requirements. There's a team of experts deciding exactly how things should work - and I'd love to be able to use your plugin while still complying with their recommendations.

    A couple of checkboxes would help a lot...

    (Thanks!)

  13. d4ny
    Member
    Posted 11 months ago #

    this issue is not resolved is it? Mr Daniel Convissor i understand your concern and i would like to keep the internet as maleware free as possible too... but there are people using the internet who might be a little older and cannot manage your password strenght settings...

    i tweaked your plugin to my own liking but i would really like to use it out of the box...

    please consider again ...

  14. khalidsattar
    Member
    Posted 11 months ago #

    I would also like to see this option. I agree about the need for strong passwords, but for someone not using a password manager, its difficult when we try to force them into 10-digit passwords with different character combinations.

    I know for our site we have had to reconsider the plugin after numerous complaints from users. If we could have more control, we could still benefit from the plugin while keeping our paying customers happy.

  15. duff_man
    Member
    Posted 11 months ago #

    Thanks for the great plugin. I think it would be better to allow a minimum of 8 character passwords but default to 10. For sites with members it can be a battle to enforce 10 characters. We are actually seeing a dropoff in member signups when we have this plugin installed.

  16. Central Geek
    Member
    Posted 10 months ago #

    I would agree, 10 characters is an excessive "requirement". I have checked around and 8 characters, with the requirements this plugin imposes - and given the requirement also that the password cannot contain words that pertain to the user or the website, results in a well above average security measure.

    Please adjust the minimum requirement to 8 characters with the same conditions you require.

    Inclusion of a strength meter would be a great addition.

    Thanks for the plugin and the hard work you have put into this project. It's not that the work isn't appreciated, it is simply that the standards recognized on the internet as being secure are less than what you are requiring. And potential users / members are usually pretty much as concerned about the security of their account as we are. If they say 10 is too much and it lines up with what most everyone else says, why is it such a problem to make the adjustment?

  17. Morisu
    Member
    Posted 6 months ago #

    Hello, first I would like to start by saying that I feel your plugin is one of the best. That said, I also feel there are times in which the current minimum requirements by your plugin is a little too excessive for what my clients and their users are willing to provide. Yes, security of log-ins on a website over the internet is upmost important to prevent misuse, malware, viruses and the like from occurring, but as a good friend used to say: "If you want the very best security for a website, take the physical server, put it in a 10-foot thick concrete box with no door, window, or connections; otherwise, sacrifices must be made." My client uses bbpress with their site and almost all the users and moderators (as well as the clients) have expressed the conditions for the password are too much. Their target audience are teens and young adults (gaming site) and many keep having to reset their password at least twice a week due to the extremes your plugin requires. I choose your plugin for the best control over the password requirements and the best preventative measures against attack. However, if I can not get some lax requirements soon, I'll have to look elsewhere. Once again, great plugin, but please reconsider mine and other's requests for more control on the requirements.

  18. codynew
    Member
    Posted 6 months ago #

    Hi

    I just wanted to add my vote to the password flexibility.

    I think giving people the option and recommendation are important (for those with less experience). However in some cases where (including myself) we build sites for clients, a little more flexibility would be good.

    Personally I find the Complexity Exemption and Lengths a bit too confusing. Particularly with all the special characters and also upper/lower case mix.

  19. GermanKiwi
    Member
    Posted 5 months ago #

    FYI, I've made a new proposal for this plugin's password strength requirements here. :)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic