Enforce strong passwords within user profile settings

[niftythree]

Hello,

We've noticed that a user can go into their profile settings and change their password to something very weak (e.g. a single character). Other BuddyPress users have noticed this, too: ​https://buddypress.org/support/topic/require-strong-password-in-profile-edit/

Is this something that could be enhanced in a future update, so that users can only create strong passwords in all areas? 😊

Thanks.

[niftythree]

We should have clarified that this is in addition to users being able to register an account with a weak password, and that we're using the Legacy template.

[imath]

Hi @niftythree

Thanks a lot for bringing this to my attention. It’s possible and it’s easier to do for the Nouveau template pack as it uses the WordPress password control. I agree we need to port this to the legacy template pack and use an easy way to enforce strong password. I’ll work on it during 10.0.0

[niftythree]

Hi @imath

Thanks for such a quick response!
That sounds great, thank you. 😊

[imath]

Hi @niftythree

​8589.patch is bringing the needed code to enforce a level of password. By default it allows any password, but you can define a constant to enforce a strong (or less strong password).

eg:
define( 'BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH', 4 ); // 4 is the strength score for strong passwords.

It only applies to BuddyPress generated template on the front end (registration/Member's general settings page). This means it doesn't change anything to WordPress only parts (eg: the WP Admin user profile, or the lost password WP Login screen).

Reading the ​support topic you linked in your description, I guess there's already a WordPress Plugin doing the job, so we shouldn't mess with him imho 😉.

@dcavins or @vapvarun what are you thoughts about this feature?

[dcavins]

@imath I think this is a great change. I've tested it out with Legacy and Nouveau and it works as expected. My only suggestion is that bp_members_user_pass_required_strength_description() shouldn't try to describe the strength required, but should show what characters are required, for instance. "Your password must be weak at least to be allowed on this site." doesn't inspire much confidence. :)

I'm sure that the password strength-o-meter isn't this obvious, but for level 1, could we say "Use a mix of upper- and lowercase letters." and so on? If not, I'd suggest we just offer solid password advice, regardless of the level selected, like "Strong passwords are made up of upper- and lowercase letters, numbers and special characters. Longer passwords are generally stronger."

[imath]

Thanks for your feedback @dcavins I'll update the patch this way using a single description for each strength level. I agree current ones make me feel no great 😬.

[vapvarun]

@imath We can also cover password change notice at the same patch, as it's currently
"Your settings have been saved." even for password changes

[imath]

Sure!

[imath]

In 13189:

Introduce a new constant/filter to enforce strong password in BP areas

You can now use the BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH constant or alternatively the 'bp_members_user_pass_required_strength' filter to force members to use password satisfying a strength score from 4 (strong) to 1 (weak). For instance use define ( 'BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH', 4 ); to enforce strong passwords.

This setting will only be applied to these 2 BuddyPress specific areas:

• the registration form,
• the General User's front-end profile settings tab.

PS: this commit also removes completely the password-verify script from the BP Nouveau Template Pack which was deprecated since BuddyPress 5.0.

Props niftythree, dcavins

Fixes #8589