How is minimum user password length determined?

What exactly is the minimum required length for a password and how is it determined?


I first tried using 8-character passwords (wanting to use the same passwords as used by the same users in a different system), which reported the password wasn't long enough.


I then found the admin page [admin > Preferences > Security > Minimum password length] with value 10 (which iiuc is pwd_min_chars in table wacko_config). I then tried creating a new user with a 10 character password but also received an error that the password was not long enough. I then tried with a 15 character password and the new user was accepted.


I also experimented with manually changing pwd_min_chars in the database to 8 and found creating a new user with either an 8 character or a 10 character password was rejected (but a 15 character password was accepted). At one time, I had changed the value of pwd_min_chars in the db back to 10, but it still appeared as 8 in the admin page – even after restarting the dbms and also reloading the browser page (Ctrl-F5). Go figure...


How is mimimum password length imposed? Am I misunderstanding expected behavior? Could this be a bug?


For my use case (a proof-of-concept demo with password type-ability preferred vs security), it would be acceptable if the minium length was hard-coded in the UI as long as I could change the value to something smaller by accessing the database directly (8 would suffice for this situation) and the database value would be respected when creating new users.


Cheers,
Dale


P.S. the Administrator has to enter a password when creating a new user, but it does not seem possible for the Administrator to change an existing user's password. Do I understand this correctly?

Comments

  1. Re: How is minimum user password length determined?

    [A]
    You have two kinds of passwords:
    'pwd_min_chars'				=> 10,
'pwd_admin_min_chars'			=> 15,

    Persistence of User Passwords


    Minimum password length: 10
    Longer passwords are necessarily more secure than shorter passwords (e.g. 12 to 16 characters).
    The use of passphrases instead of passwords is encouraged.

    Minimum admin password length: 15
    Longer passwords are necessarily more secure than shorter passwords (e.g. 15 to 20 characters).
    The use of passphrases instead of passwords is encouraged.

    You can change these password lengths, but you have to consider there are two different settings.
    • admin
    • user

    In other words if you're admin pwd_admin_min_chars are applied. So you've change both values to your range and it will work as expected.

    It is always a good idea to change the config values in the Admin panel, otherwise you have to clear the config cache, update the session, purge the page and browser cache – depending on what you have changed, on your own.

    Changing a value in the config table manually without updating/purging the config cache – it will still load the old values.
    In this case you can use the {{admin_cache}} action or delete the _cache/config/config.php file by hand to update the config cache.

    [B]
    In the admin panels current configuration you can't change or overwrite the users password as admin, that's right. This can become a problem if the user lost access to his email account or sending emails is not possible or deactivated. Should we add a feature to overwrite the users password?
    • WikiAdmin
    • 14.12.2024 10:07 edited
Log in or create an account to post a comment.