Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Password Validation Algorithm "Very Strong" ranking setting the bar too low #1806

Closed
mcfarlandonline opened this issue Feb 9, 2022 · 3 comments · Fixed by #2830
Closed
Labels
member-functionality under review An EE team member is reviewing this issue

Comments

@mcfarlandonline
Copy link
Contributor

PHP 7.3
EE 6.2.4

I recently tested out using the password validation script from the docs alongside a front-end member registration form. It seems pretty easy to get going, but upon testing, it's clearly not very strict.

For this site, I have the Password Security Policy set to "Strong"...

Screen Shot 2022-02-09 at 2 38 54 PM

My passwords are getting validated as it relates to the minimum number of characters, but sequences and consecutive numbers aren't negatively impacting things as much as I expected. It appears that only one capitalized letter or special character is required to earn a "Very Strong" ranking. To further test things, I tried changing my Super Admin password in my profile. This seems a little overly forgiving...

Screen Shot 2022-02-09 at 2 25 15 PM Screen Shot 2022-02-09 at 2 25 44 PM Screen Shot 2022-02-09 at 2 25 58 PM

Here's where we draw the line...

Screen Shot 2022-02-09 at 2 26 24 PM

I wonder if we should just do away with a "Very Strong" ranking at this point, if the algorithm could be tightened up, or if there's a way to exclude certain words and strings (similar to the Word Censoring feature), while still allowing most dictionary words.

@intoeetive
Copy link
Contributor

@mcfarlandonline you're aware about Allow dictionary words in passwords? setting, right?

@mcfarlandonline
Copy link
Contributor Author

mcfarlandonline commented Apr 7, 2022

Hi @intoeetive,
We tried installing that, too, but don't see that it's making any difference. I've tried a bunch of combinations with:

  • Allowing and disallowing dictionary words
  • removing "password" from the dictionary.txt file
  • Using capitals and lowercase versions

It doesn't appear that this setting is having any effect on our end. We also checked the wizard just in case a module on our server might be missing, but that looks good, too...
unnamed

@intoeetive
Copy link
Contributor

I think I know why you are experiencing this. Using the dictionary file is only performing "full match" check.
It does probably make sense to check for partial match.
We'll discuss this internally and maybe we might have some better solution indeed,
Thank you for reporting!

@intoeetive intoeetive added the under review An EE team member is reviewing this issue label Apr 8, 2022
intoeetive added a commit that referenced this issue Mar 2, 2023
…ank-dicttionary-words

Account for dictionary words when calculating password rank; #1806
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
member-functionality under review An EE team member is reviewing this issue
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants