I am using Login.Register. The registration form is working OK and new users are setting up accounts.
However I have had a few people complain that they have used very strong passwords that have been rejected. My code is as follows
[[!Register?
&submitVar=`loginRegisterBtn`
&activationResourceId=`25`
&activationEmailTpl=`lgnActivateEmailTpl`
&activationEmailSubject=`Account Activation`
&submittedResourceId=`26`
&usergroups=`members`
&validate=`nospam:blank,
password:required:minLength=^8^,
password_confirm:required:password_confirm=^password^,
email:required:email,
&ensurePasswordStrength=`1`
&ensurePasswordStrengthSuggestions=`5`
&maximumPossibleStrongerPasswords=`25`
&placeholderPrefix=`reg.`
&validationErrMsg=`There are some errors in the form.`
]]
&ensurePasswordStrength should make it check for the strength of the password.
&ensurePasswordStrengthSuggestions should make it suggest five alternatives to the password entered, if it thinks the password entered is weak.
&maximumPossibleStrongerPasswords set to 25 (the default) seems to make it quite strict. I have experimented with numbers ranging from 30 to 300. Anything over 50 makes it accept pretty much anything. Anything lower than 50 makes it reject really complex passwords, but accept some really simple ones.
With the above settings these two passwords were rejected:
passwors
BV+EaLBZmbQn+j+vEN5RsLHH0hwjIdsl
With the above settings these two passwords were accepted:
password
BV+E4LBZmBQen+j+vEN5R$LHH0hwjId51
The acceptance of the word
password as a
strong password with these setting really shocked me.
I hope I am doing something wrong.
If anyone has any ideas I would be grateful for your input.
Versions in use:
MODX 2.5.5
Login 1.9.2 (I am aware of an upgrade to 1.9.3 being available and will try it out on the dev site, but I don't think it addresses the issue I have).