New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Require stronger password for Give Registration #1305

Closed
Benunc opened this Issue Dec 6, 2016 · 10 comments

Comments

Projects
None yet
5 participants
@Benunc
Member

Benunc commented Dec 6, 2016

Issue Overview

If a donor creates an acount, they can currently use the password "123" or "ABC" and it will be accepted. Even though the only data put at risk there is their own donation information, it is a best security practice to enforce strong passwords. Third party security plugins provide a way to enforce stonger passwords, and even core itself does not allow users to create accounts in some cases without more secure passwords.

Core itself has a method to warn of weak passwords in wp-includes/script-loader.php line 403. (and I couldn't find one, but I know it prevents admins from creating weak passords in the setup/install process.)

Expected Behavior

Users should be warned (at least) or prevented (at best) when using a weak password.

Current Behavior

Currently, any password is accepted.

Possible Solution

see how Core handles it, and consider adding in the password-strength-meter found in Core.

Todos

  • Tests
  • Documentation
@DevinWalker

This comment has been minimized.

Show comment
Hide comment
@DevinWalker

DevinWalker Dec 7, 2016

Member

Good call, I agree we'll want to support strong passwords.

Member

DevinWalker commented Dec 7, 2016

Good call, I agree we'll want to support strong passwords.

@DevinWalker DevinWalker added this to the 2.0 milestone Dec 7, 2016

@ravinderk

This comment has been minimized.

Show comment
Hide comment
@ravinderk

ravinderk Dec 10, 2016

Collaborator

@DevinWalker @mathetos Can we add strength meter to our password field.

screen shot 2016-12-10 at 4 48 54 pm

Collaborator

ravinderk commented Dec 10, 2016

@DevinWalker @mathetos Can we add strength meter to our password field.

screen shot 2016-12-10 at 4 48 54 pm

@DevinWalker

This comment has been minimized.

Show comment
Hide comment
@DevinWalker

DevinWalker Dec 10, 2016

Member

@ravinderk we should use the WordPress PW strength meter.

Member

DevinWalker commented Dec 10, 2016

@ravinderk we should use the WordPress PW strength meter.

@ravinderk

This comment has been minimized.

Show comment
Hide comment
@ravinderk

ravinderk Dec 12, 2016

Collaborator

@DevinWalker I was also in favor of using WordPress core password related functionality. Check screenshot is it the strong password?

screen shot 2016-12-12 at 8 22 40 am

Collaborator

ravinderk commented Dec 12, 2016

@DevinWalker I was also in favor of using WordPress core password related functionality. Check screenshot is it the strong password?

screen shot 2016-12-12 at 8 22 40 am

@mathetos

This comment has been minimized.

Show comment
Hide comment
@mathetos

mathetos Dec 12, 2016

Member

@ravinderk What library are you using above? Also, we should just use the WP Core one just for best practices. And it would be an AWESOME way for you to contribute to WordPress Core if you can suggest how it can be strengthened.

Member

mathetos commented Dec 12, 2016

@ravinderk What library are you using above? Also, we should just use the WP Core one just for best practices. And it would be an AWESOME way for you to contribute to WordPress Core if you can suggest how it can be strengthened.

@DevinWalker DevinWalker modified the milestones: 1.8.10, 2.0, 1.8.9 May 26, 2017

@ravinderk

This comment has been minimized.

Show comment
Hide comment
@ravinderk

ravinderk May 29, 2017

Collaborator

@DevinWalker Do you want to resolve this in 1.8.9 because in 2.0 we are working on field API which will be used for generating every form in plugin including Donation forms.
for ref: #1038

Collaborator

ravinderk commented May 29, 2017

@DevinWalker Do you want to resolve this in 1.8.9 because in 2.0 we are working on field API which will be used for generating every form in plugin including Donation forms.
for ref: #1038

@mathetos

This comment has been minimized.

Show comment
Hide comment
@mathetos

mathetos May 30, 2017

Member

I have a couple customers/users who are reporting spam user accounts regularly. So it would be great if we could do this soon and perhaps even implement integration with Akismet as well #673

Member

mathetos commented May 30, 2017

I have a couple customers/users who are reporting spam user accounts regularly. So it would be great if we could do this soon and perhaps even implement integration with Akismet as well #673

@ravinderk

This comment has been minimized.

Show comment
Hide comment
@ravinderk

ravinderk May 30, 2017

Collaborator

@mehul0810 Please continue on that, Let me know if you have further any question

Collaborator

ravinderk commented May 30, 2017

@mehul0810 Please continue on that, Let me know if you have further any question

@mehul0810

This comment has been minimized.

Show comment
Hide comment
@mehul0810

mehul0810 May 31, 2017

Contributor

@DevinWalker @mathetos @ravinderk Here is how the password strength meter will look in the donation form having registration. Also, i think we should keep Donate button enabled even if the password entered is weak because it is the matter of choice for user so enforcing user to enter a strong password compulsory should not be the case. For such case, we can have a checkbox to fill in similar to default WordPress password strength meter. Please let me know you views on the same.
password_strength_meter

Contributor

mehul0810 commented May 31, 2017

@DevinWalker @mathetos @ravinderk Here is how the password strength meter will look in the donation form having registration. Also, i think we should keep Donate button enabled even if the password entered is weak because it is the matter of choice for user so enforcing user to enter a strong password compulsory should not be the case. For such case, we can have a checkbox to fill in similar to default WordPress password strength meter. Please let me know you views on the same.
password_strength_meter

@mathetos

This comment has been minimized.

Show comment
Hide comment
@mathetos

mathetos Jun 1, 2017

Member

I actually think we should just use WordPress' default Strong Password auto-generator, and implement this as part of this issue:
#1517

At the end of the day, the donor shouldn't have to think about a password at all. If they CHOOSE to change the password, then these colored indicators can come into place.

Member

mathetos commented Jun 1, 2017

I actually think we should just use WordPress' default Strong Password auto-generator, and implement this as part of this issue:
#1517

At the end of the day, the donor shouldn't have to think about a password at all. If they CHOOSE to change the password, then these colored indicators can come into place.

@mehul0810 mehul0810 referenced this issue Jun 2, 2017

Merged

Issue/1305 #1754

3 of 3 tasks complete

@DevinWalker DevinWalker closed this Jun 2, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment