“Strong Password Enforcement” setting causing PW reset/user creation issues

jaxrachel
(@jaxrachel)

7 years, 5 months ago

When I turn on the Strong Password Enforcement setting, and try to create a new user, WordPress tells me the password is “strong” but it won’t let me save, giving me the error “Due to site rules, a strong password is required. Please choose a new password that rates as Strong on the meter. The user has not been created.” When I turn off your plugin’s Strong Password Enforcement setting, the system lets me save my “strong” password user. Your setting says it is “…as rated by the WordPress password meter.” However, there is clearly something different between your version of “strong” and wordpress’s password meter version of “strong” and it is super confusing when the system says my password is strong, but won’t let me save it.

Viewing 9 replies - 1 through 9 (of 9 total)

pronl
(@pronl)

7 years, 4 months ago

There have been 2 fixes and 1 enhancement to the Strong Password Enforcement feature in the latest 5.7.1 release. According to the 5.7.1 Changelog:

Bug Fix: Improved how Strong Password Enforcement works on password resets to improve compatibility with various plugins.
Bug Fix: Improved the logic for determining whether a user should have Strong Password Enforcement applied. This covers situations where the user may have a custom role, a customized default role, or added capabilities beyond their role.
Enhancement: Strong Password Enforcement now uses a PHP port of zxcvbn to ensure that a strong password was selected.

I think it is the enhancement to the Strong Password Enforcement feature that is causing your issue.

As a workaround you could deactivate and then delete the 5.7.1 plugin release. Then reinstall the older 5.7.0 plugin release. Or simply disable the Strong Password Enforcement feature in the 5.7.1 release.

If you are interested in how zxcvbn exactly contributes to stronger passwords read this.

Thread Starter jaxrachel
(@jaxrachel)

7 years, 4 months ago

Thanks pronl for the info. I would still like to see this fixed in a future release.
pronl
(@pronl)

7 years, 4 months ago
@jaxrachel

I think I’ve found where the bug is and how to fix it.
It’s a very simple fix. Does need a change in the code which means the fix
will be undone when updating the plugin.
- This reply was modified 7 years, 4 months ago by pronl.
BenM
(@alysko)

7 years, 2 months ago

Same problem for me. Moreover, iTheme doesn’t respect the min. role for enforcement : I set it to “contributor” and but it’s active for “Subscriber”.
Thanks.
pronl
(@pronl)

7 years, 2 months ago
@alysko

Moreover, iTheme doesn’t respect the min. role for enforcement : I set it to “contributor” and but it’s active for “Subscriber”.

What action are you performing when observing this behavior:

1. Updating profile of an existing (subscriber) user (within WordPress Dashboard).
2. Creating a new (subscriber) user (within WordPress Dashboard).
3. Resetting password for an existing (subscriber) user (following the Lost your password? link on the login page).
- This reply was modified 7 years, 2 months ago by pronl.
BenM
(@alysko)

7 years, 2 months ago

Answer 2

cstielper
(@cstielper)

7 years ago

This is still an issue in 6.2.1

Any word on when this will be fixed?

Kate
(@kate515)

6 years, 10 months ago

Same issue here in 6.2.1
Can’t reset password because it keeps saying it is not strong. Mine happens on scenario 3 – resetting password for existing user. Have not tested the other scenarios.

pronl
(@pronl)

6 years, 10 months ago

@kate515

… and this is happening while using WordPress 4.8 ?

The reason why I ask is because WordPress 4.8 includes an updated zxcvbn library for the strong password meter (1.0 to version 4.4.1).

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘“Strong Password Enforcement” setting causing PW reset/user creation issues’ is closed to new replies.