WordPress.org

Ready to get started?Download WordPress

Forums

Login Security Solution
[resolved] Password length not being enforced (19 posts)

  1. JamesICT
    Member
    Posted 1 year ago #

    Hi,

    This plugin looks like it is just what I need, except that when I set the password length, it is not enforcing when new users register.

    Is there something I can change to make this happen?

    http://wordpress.org/extend/plugins/login-security-solution/

  2. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi James:

    You're talking about the randomly generated 12 character password that gets emailed to new users? That's created by WP core. It'd be pretty hard for attackers to crack that.

    How long do you have your minimum password length set to?

    --Dan

  3. JamesICT
    Member
    Posted 1 year ago #

    Hi Dan,

    I am talking about this, which sits under Password Policies - Length

    'How long must passwords be? Must be >= 10. Default: 10.'

    I have set it to 15 but only a 7 character password is sent to new users?

  4. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    James:

    You have something overriding WordPress' default behaviors. In WP 3.4.1, the new user generation process in wp-login.php asks wp_generate_password() for a 12 character password.

    wp_generate_password() calls the random_password filter. I'd guess you either you have an outdated wp-login.php or you have a plugin with a random_password filter in it.

    --Dan

  5. JamesICT
    Member
    Posted 1 year ago #

    Hi Dan,

    Thanks for taking the time to let me know.

    I do not think it is my wp-login file, so it must be a plugin. I just had a quick look through though and none of them seem like they would be related to this issue.

    What do I need to look for exactly in the plugin files themselves?

    Thanks for your help - it is much appreciated.

  6. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    James:

    If you're on a Unix/Linux/BSD type box, do this:
    grep -rE 'wp_generate_password|random_password' .

    If you're on a Windows box, use your preferred file content searching tool.

    --Dan

  7. JamesICT
    Member
    Posted 1 year ago #

    Hi Dan,

    I have done extensive searches across all of my plugins and the example you gave above cannot be found.

    One of my plugins does find the following, but that is all.

    if(!$password){
    			$password = wp_generate_password( 12, true );

    Could there be any other reason for this?

    As it is, the following shows what new users receive via email.

    Username: jkl
    Password: b72fb2e

  8. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    James:

    Which plugin is that? And what's in your wp-login.php?

    Are you manually looking at each file to do this search? You really need to do an automated search to make sure EVERYTHING is checked.

    --Dan

  9. JamesICT
    Member
    Posted 1 year ago #

    Hi Dan,

    The plugin is called Your Members and controls access to pages and posts etc.

    The wp-login.php file is the one that came with WP 3.4.1

    I did a search through all files [all my plugins and my theme] so yes, EVERYTHING was checked.

    I cannot think what may be causing it.

  10. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    James:

    I'm trying to help you. You're not answering my questions. So let me be very specific. Please do the following.

    * Log into the web server using SSH.
    * cd into the directory containing your WordPress installation.
    * Call the following command:
    grep -rE 'wp_generate_password|random_password' .
    * Paste the output here.

    --Dan

  11. JamesICT
    Member
    Posted 1 year ago #

    Hi Dan,

    Thank you for persisting with me - I am very thankful of your efforts and believe me, I am trying to get this sorted.

    Anyway, it took me some time to work with my host to get Shell enabled and up and running.

    Unfortunately though, I do not have any results to give you.

    This is a copy of my attempts:

    login as: *****
    Authenticating with public key "***"
    Passphrase for key "***":
    Last login: Tue Aug 28 21:45:51 2012 from cpc16-***-2-0-***.3-3.****.******.com
    *****@my-domain [~]# cd /home/***/public_html
    *****@my-domain [~/public_html]# grep -rE 'wp_generate_password|random_password'

    I let it sit like this until the network connection kicked out - which was quite some time, but as you can see, no results appeared.

    Is there anything else I can try?

  12. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi James:

    Thanks for the big effort. Having shell access will provide you long term benefits. The grep call hung because you left the period off the end of the command.

    FYI, that part of the grep command tells grep where to search. . means look in the present directory. If no location is indicated, grep examines standard input, which you didn't provide either, so grep just waited.

    --Dan

  13. JamesICT
    Member
    Posted 1 year ago #

    Hi Dan,

    I have the output now, but would rather I emailed it to you.

    How can I get in touch with you please?

  14. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

  15. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi James:

    Thanks for the grep output. Nothing in particular pops out at me. What happens if you disable the Your Members plugin and then register a new user?

    --Dan

  16. Dean Taylor
    Member
    Posted 1 year ago #

    Hi James & Daniel:

    Just a sanity check here:

    Does the 7 character password as received in the email actually work?

    If it doesn't perhaps the email output is being manipulated via a filter.
    Or perhaps it is being changes and then the user record is being updated.

    In terms of a recommendation:
    1. Daniel is right disable the all plugins see if this changes the mail output of the password for a newly created user.
    2. WordPress Core code comparison: Download a fresh copy of WordPress and complete a file comparison, perhaps a part of the core was not updated correctly or has been modified. If you are a Windows user consider using http://winmerge.org/ or even better Beyond Compare (30 day demo available).

    Cheers,
    Dean.

  17. JamesICT
    Member
    Posted 1 year ago #

    Hi Dean,

    Thank you for the suggestions - I will work my way through them.

    Yes, the emailed password does work.

    One other element I have just discovered [whether it is relevant or not I do not know], but new users are set to the role of Author, but I just noticed that they are being activated as Subscriber.

  18. JamesICT
    Member
    Posted 1 year ago #

    Hi Dan and Dean,

    Just for your interest, I discovered it was the Your Members plugin causing the problem.

    However, they quickly sorted it out for me and I am now able to assign a 12 character password. They have told me that an update for this issue will be in the making.

    A long and frustrating issue but thanks to great people like yourselves and the Your Members team, it is now all resolved.

    Thank you very much for your hard work!

  19. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi Jim:

    Thanks for the update. Glad it wasn't a problem I caused. :)

    --Dan

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic