Feature Request: s2Member Should Allow Strong Password Enforcement

[patdumond]

s2Member should allow enforcement of strong passwords on registration and change of password. Strong password enforcement should be optional and include:

• enforce password minimum length set by administrator
• enforce password complexity
  • both alpha and numeric characters
  • special characters
• enforce non-repetition of old passwords
  • allow administrators to set the number of old passwords to remember

Edited to Add (29 May 2015) Also, s2Member should allow administrators to require users to change their password on first login after the password has been sent via email. At the very least, change the link in the email to the password reset page rather than wp-login. (See: https://websharks.zendesk.com/agent/tickets/6527).

[BugRat]

This is a great suggestion, I am just not sure if it should be part of s2Member. There are already WP Plugins that handle this.

[patdumond]

I've tested a couple of the strong password enforcement plugins and s2Member does not "play well" with them. Users are still able to create weak passwords when they change the password on their profile page.

[KTS915]

"Users are still able to create weak passwords when they change the password on their profile page."

I agree that this is an issue. In fact, it's one of the reasons I don't allow members to access their profiles. Instead, I use the Clean Login plugin to manage password resets.

"At the very least, change the link in the email to the password reset page rather than wp-login."

I think that might be rather confusing for new members. I believe that there is some work afoot in WP core so that passwords are not sent by email. While I am not sure what is planned, not how far along it is, I'd be inclined to wait and see what they come up with before attempting to make changes to s2Member behavior.

[BugRat]

I agree with KTS. This should be addressed in WP core or with a plugin, not in s2Member.

[patdumond]

While I'd love it to be addressed in WP core our users can't wait. And I've tested s2Member with several strong password enforcement plugins and they don't play well together. s2Member basically ignores them. If we can't provide strong password enforcement and other products can...

[KTS915]

Have you tried Clean Login, Pat? As I said in my previous comment, it works well with s2Member, so there's no need to wait.

[patdumond]

Bugrat, I apparently missed that comment. Sorry. I will give Clean Login a
try. :)

On Fri, Jun 26, 2015 at 12:02 PM KTS915 notifications@github.com wrote:

Have you tried Clean Login, Pat? As I said in my previous comment, it
works well with s2Member, so there's no need to wait.

—
Reply to this email directly or view it on GitHub
#573 (comment).

[jaswrks]

We now have strong password enforcement as a feature in s2Member.

Works With...

• s2Member Pro-Forms (Stripe, PayPal, Authorize.Net)
• /wp-login.php?action=register whenever you enable Custom Passwords w/ s2Member.
• s2Member Profile updating forms; e.g., [s2Member-Profile /] and the popup variation.