How is minimum user password length determined?

What exactly is the minimum required length for a password and how is it determined?


I first tried using 8-character passwords (wanting to use the same passwords as used by the same users in a different system), which reported the password wasn't long enough.


I then found the admin page [admin > Preferences > Security > Minimum password length] with value 10 (which iiuc is pwd_min_chars in table wacko_config). I then tried creating a new user with a 10 character password but also received an error that the password was not long enough. I then tried with a 15 character password and the new user was accepted.


I also experimented with manually changing pwd_min_chars in the database to 8 and found creating a new user with either an 8 character or a 10 character password was rejected (but a 15 character password was accepted). At one time, I had changed the value of pwd_min_chars in the db back to 10, but it still appeared as 8 in the admin page – even after restarting the dbms and also reloading the browser page (Ctrl-F5). Go figure...


How is mimimum password length imposed? Am I misunderstanding expected behavior? Could this be a bug?


For my use case (a proof-of-concept demo with password type-ability preferred vs security), it would be acceptable if the minium length was hard-coded in the UI as long as I could change the value to something smaller by accessing the database directly (8 would suffice for this situation) and the database value would be respected when creating new users.


Cheers,
Dale


P.S. the Administrator has to enter a password when creating a new user, but it does not seem possible for the Administrator to change an existing user's password. Do I understand this correctly?

Comments

  1. Re: How is minimum user password length determined?

    [A]
    You have two kinds of passwords:
    'pwd_min_chars'				=> 10,
    'pwd_admin_min_chars'			=> 15,	

    Persistence of User Passwords


    Minimum password length: 10
    Longer passwords are necessarily more secure than shorter passwords (e.g. 12 to 16 characters).
    The use of passphrases instead of passwords is encouraged.

    Minimum admin password length: 15
    Longer passwords are necessarily more secure than shorter passwords (e.g. 15 to 20 characters).
    The use of passphrases instead of passwords is encouraged.

    You can change these password lengths, but you have to consider there are two different settings.
    • admin
    • user

    In other words if you're admin pwd_admin_min_chars are applied. So you've change both values to your range and it will work as expected.

    It is always a good idea to change the config values in the Admin panel, otherwise you have to clear the config cache, update the session, purge the page and browser cache – depending on what you have changed, on your own.

    Changing a value in the config table manually without updating/purging the config cache – it will still load the old values.
    In this case you can use the {{admin_cache}} action or delete the _cache/config/config.php file by hand to update the config cache.

    [B]
    In the admin panels current configuration you can't change or overwrite the users password as admin, that's right. This can become a problem if the user lost access to his email account or sending emails is not possible or deactivated. Should we add a feature to overwrite the users password?
    • WikiAdmin
    • 14.12.2024 10:07 edited
  2. Re: How is minimum user password length determined?

    Hi WikiAdmin :-)

    There seems to be a more fundamental issue occuring. I'm using the Admin panel now and Wacko will not save a change to “Minimum password length” from 10 to 8, the “tooltip”(?) reports the “Value must be greater than or equal to 10.” (changing the value to 8 and clicking [Save] results in the cursor being positioned in the field and the tooltip being displayed).

    I presume there must be a hard-coded minimum of 10 characters to protect users from themselves. Do I understand correctly? I would like to intentionally allow 8-character passwords with no security check, no email confirmation, no captcha, etc. Is there a file I can manually edit to allow 8-character passwords?



    Re admin not being able to change a user password... I noted this simply as an inconsistency – that if the admin could specify the password for a new user, why can they not change the password of an existing user?

    However, I agree the password recovery process could not be used if it requires the user to have access to the email account in their profile, and the admin being able to change the password would be a solution. Another use case might be to change the password if the user has locked themself out by entering a bad password too many times (if enabled), or in environments in which the admin controls the passwords. I can't say if this feature “should” be added but Imho it would improve general admin management and certainly be appreciated when and if needed.

    Btw, is authentication via LDAP supported? (which would of course change workflows related to passwords). Iiuc, I found this patch in the forum, but from the call for help I'm guessing it works for v4.3 but not v6.x. /Dev/PatchesHacks/LDAPGroups
    • DaleScott
    • 21.12.2024 07:58 edited
  3. Re: How is minimum user password length determined?

    I must be missing a critical part of the instructions....

    1. edited config_security.php



    2. changed (saved) and then confirmed pwd_min_chars = 8



    3. cleared caches



    4. deleted user bjenks and attempted to add again using 8-char password (WikiNames have been disabled in the admin panel)



    but still WackoWiki says no

    • DaleScott
    • 21.12.2024 00:17 edited
  4. Re: How is minimum user password length determined?

    You must also change the pwd_admin_min_chars lenght.

    When you're Admin it always checks against pwd_admin_min_chars.

    <?php
    
    $min_chars = $this->is_admin() ? $this->db->pwd_admin_min_chars : $this->db->pwd_min_chars;


    We can add a password reset by admin.
    • WikiAdmin
    • 21.12.2024 08:14 edited
  5. Re: How is minimum user password length determined?

    Thanks for the explanation, I have now successfully created a new user with an 8-character password. :-)

    Fwiw, I still don't understand why WackoWiki behaves this way. Imho the behavior would be more intuitive if user passwords only had to comply with pwd_min_chars, regardless of whether the user created their own login (if allowed), or if it was created by admin.

    Regardless, I think WackoWiki is fantastic and you have my sincere thanks for maintaining and supporting it.

    Cheers,
    Dale
Log in or create an account to post a comment.