Skip to:

Opened 7 weeks ago

Last modified 45 hours ago

#8589 assigned enhancement

Enforce strong passwords within user profile settings

Reported by: niftythree Owned by: imath
Milestone: 10.0.0 Priority: normal
Severity: normal Version:
Component: Templates Keywords: has-patch 2nd-opinion



We've noticed that a user can go into their profile settings and change their password to something very weak (e.g. a single character). Other BuddyPress users have noticed this, too: ​

Is this something that could be enhanced in a future update, so that users can only create strong passwords in all areas? 😊


Attachments (1)

8589.patch​ (13.7 KB) - added by imath 45 hours ago.

Download all attachments as: .zip

Change History (5)

#1 @niftythree
7 weeks ago

We should have clarified that this is in addition to users being able to register an account with a weak password, and that we're using the Legacy template.

Last edited 7 weeks ago by niftythree (previous) (diff)

#2 @imath
7 weeks ago

  • Component changed from Core to Templates
  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 10.0.0
  • Owner set to imath
  • Status changed from new to assigned

Hi @niftythree

Thanks a lot for bringing this to my attention. It’s possible and it’s easier to do for the Nouveau template pack as it uses the WordPress password control. I agree we need to port this to the legacy template pack and use an easy way to enforce strong password. I’ll work on it during 10.0.0

#3 @niftythree
7 weeks ago

Hi @imath

Thanks for such a quick response!
That sounds great, thank you. 😊

45 hours ago

#4 @imath
45 hours ago

  • Keywords has-patch 2nd-opinion added; needs-patch removed

Hi @niftythree

​8589.patch is bringing the needed code to enforce a level of password. By default it allows any password, but you can define a constant to enforce a strong (or less strong password).

define( 'BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH', 4 ); // 4 is the strength score for strong passwords.

It only applies to BuddyPress generated template on the front end (registration/Member's general settings page). This means it doesn't change anything to WordPress only parts (eg: the WP Admin user profile, or the lost password WP Login screen).

Reading the ​support topic you linked in your description, I guess there's already a WordPress Plugin doing the job, so we shouldn't mess with him imho πŸ˜‰.

@dcavins or @vapvarun what are you thoughts about this feature?

Note: See TracTickets for help on using tickets.