What exactly is the minimum required length for a password and how is it determined?
I first tried using 8-character passwords (wanting to use the same passwords as used by the same users in a different system), which reported the password wasn't long enough.
I then found the admin page [admin > Preferences > Security > Minimum password length] with value 10 (which iiuc is ##pwd_min_chars## in table wacko_config). I then tried creating a new user with a ##10## character password but also received an error that the password was not long enough. I then tried with a ##15## character password and the new user was accepted.
I also experimented with manually changing ##pwd_min_chars## in the database to ##8## and found creating a new user with either an 8 character or a 10 character password was rejected (but a ##15## character password was accepted). At one time, I had changed the value of ##pwd_min_chars## in the db back to ##10##, but it still appeared as ##8## in the admin page - even after restarting the dbms and also reloading the browser page (Ctrl-F5). Go figure...
How is mimimum password length imposed? Am I misunderstanding expected behavior? Could this be a bug?
For my use case (a proof-of-concept demo with password type-ability preferred vs security), it would be acceptable if the minium length was hard-coded in the UI as long as I could change the value to something smaller by accessing the database directly (8 would suffice for this situation) and the database value would be respected when creating new users.
Cheers,
Dale
P.S. the Administrator has to enter a password when creating a new user, but it does not seem possible for the Administrator to change an existing user's password. Do I understand this correctly?