Skip to:
Content

BuddyPress.org

Opened 2 years ago

Closed 2 years ago

#8589 closed enhancement (fixed)

Enforce strong passwords within user profile settings

Reported by: niftythree's profile niftythree Owned by: imath's profile imath
Milestone: 10.0.0 Priority: normal
Severity: normal Version:
Component: Templates Keywords: has-patch 2nd-opinion needs-refresh
Cc:

Description

Hello,

We've noticed that a user can go into their profile settings and change their password to something very weak (e.g. a single character). Other BuddyPress users have noticed this, too: ​https://buddypress.org/support/topic/require-strong-password-in-profile-edit/

Is this something that could be enhanced in a future update, so that users can only create strong passwords in all areas? 😊

Thanks.

Attachments (1)

8589.patch​ (13.7 KB) - added by imath 2 years ago.

Download all attachments as: .zip

Change History (11)

#1 @niftythree
2 years ago

We should have clarified that this is in addition to users being able to register an account with a weak password, and that we're using the Legacy template.

Last edited 2 years ago by niftythree (previous) (diff)

#2 @imath
2 years ago

  • Component changed from Core to Templates
  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 10.0.0
  • Owner set to imath
  • Status changed from new to assigned

Hi @niftythree

Thanks a lot for bringing this to my attention. It’s possible and it’s easier to do for the Nouveau template pack as it uses the WordPress password control. I agree we need to port this to the legacy template pack and use an easy way to enforce strong password. I’ll work on it during 10.0.0

#3 @niftythree
2 years ago

Hi @imath

Thanks for such a quick response!
That sounds great, thank you. 😊

@imath
2 years ago

#4 @imath
2 years ago

  • Keywords has-patch 2nd-opinion added; needs-patch removed

Hi @niftythree

​8589.patch is bringing the needed code to enforce a level of password. By default it allows any password, but you can define a constant to enforce a strong (or less strong password).

eg:
define( 'BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH', 4 ); // 4 is the strength score for strong passwords.

It only applies to BuddyPress generated template on the front end (registration/Member's general settings page). This means it doesn't change anything to WordPress only parts (eg: the WP Admin user profile, or the lost password WP Login screen).

Reading the ​support topic you linked in your description, I guess there's already a WordPress Plugin doing the job, so we shouldn't mess with him imho πŸ˜‰.

@dcavins or @vapvarun what are you thoughts about this feature?

#5 @dcavins
2 years ago

@imath I think this is a great change. I've tested it out with Legacy and Nouveau and it works as expected. My only suggestion is that bp_members_user_pass_required_strength_description() shouldn't try to describe the strength required, but should show what characters are required, for instance. "Your password must be weak at least to be allowed on this site." doesn't inspire much confidence. :)

I'm sure that the password strength-o-meter isn't this obvious, but for level 1, could we say "Use a mix of upper- and lowercase letters." and so on? If not, I'd suggest we just offer solid password advice, regardless of the level selected, like "Strong passwords are made up of upper- and lowercase letters, numbers and special characters. Longer passwords are generally stronger."

#6 @imath
2 years ago

  • Keywords needs-refresh added

Thanks for your feedback @dcavins I'll update the patch this way using a single description for each strength level. I agree current ones make me feel no great 😬.

#7 @vapvarun
2 years ago

@imath We can also cover password change notice at the same patch, as it's currently
"Your settings have been saved." even for password changes

#8 @imath
2 years ago

Sure!

This ticket was mentioned in ​Slack in #buddypress by imath. ​View the logs.


2 years ago

#10 @imath
2 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 13189:

Introduce a new constant/filter to enforce strong password in BP areas

You can now use the BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH constant or alternatively the 'bp_members_user_pass_required_strength' filter to force members to use password satisfying a strength score from 4 (strong) to 1 (weak). For instance use define ( 'BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH', 4 ); to enforce strong passwords.

This setting will only be applied to these 2 BuddyPress specific areas:

  • the registration form,
  • the General User's front-end profile settings tab.

PS: this commit also removes completely the password-verify script from the BP Nouveau Template Pack which was deprecated since BuddyPress 5.0.

Props niftythree, dcavins

Fixes #8589

Note: See TracTickets for help on using tickets.