Way to enforce password complexity?

[Leppie]

Is there any way to enforce complex passwords?

[Arantor]

Admin > Configuration > Security and Moderation > General > Required strength for user passwords

[Leppie]

oh doh! I knew I had seen it somewhere... maybe I need to get some glasses...
many thanks Arantor

[Danny S.]

I'm sorry, but I have a question to piggy-back on this...


If I were to enhance my password requirements now, would anyone who had an easier password (say 4 digits) be required to upgrade their password upon their next login again?

Or would they be grandfathered in?

[Arantor]

As far as I know - I haven't looked at the code in a long time - it would allow them to use their current password and it would only re-enforce it on next password change (which I guess is what you meant by grandfathered in)

[Danny S.]

That's what I meant!


Thanks!

[Leppie]

then would there be a way to set the "unsecure" passwords to expire?

[Arantor]

Nope, there would not. There is no way to know if a given password is unsecure in the majority of cases - because the password is invariably not sent in plaintext to the server - if JS is available (which it usually is), the password is hashed even before it's sent to the server, so you never get to know whether it's insecure or not after it's been created like that.

All you can do is notify your users to modify their password and hope they do it, or hack in support for tracking when a password was last set and nudge users to reset it that way (but experience suggests that leads to less secure and more memorable passwords)

[Leppie]

i agree, setting too many rules to enforce "more secure" passwords usually has adverse effects.

i was just curious if it was possible, but since i installed the anti bots mods i get much less failed login attempts.

many thanks for your help