-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password Validation Algorithm "Very Strong" ranking setting the bar too low #1806
Comments
@mcfarlandonline you're aware about Allow dictionary words in passwords? setting, right? |
Hi @intoeetive,
It doesn't appear that this setting is having any effect on our end. We also checked the wizard just in case a module on our server might be missing, but that looks good, too... |
I think I know why you are experiencing this. Using the dictionary file is only performing "full match" check. |
…ank-dicttionary-words Account for dictionary words when calculating password rank; #1806
PHP 7.3
EE 6.2.4
I recently tested out using the password validation script from the docs alongside a front-end member registration form. It seems pretty easy to get going, but upon testing, it's clearly not very strict.
For this site, I have the Password Security Policy set to "Strong"...
My passwords are getting validated as it relates to the minimum number of characters, but sequences and consecutive numbers aren't negatively impacting things as much as I expected. It appears that only one capitalized letter or special character is required to earn a "Very Strong" ranking. To further test things, I tried changing my Super Admin password in my profile. This seems a little overly forgiving...
Here's where we draw the line...
I wonder if we should just do away with a "Very Strong" ranking at this point, if the algorithm could be tightened up, or if there's a way to exclude certain words and strings (similar to the Word Censoring feature), while still allowing most dictionary words.
The text was updated successfully, but these errors were encountered: