We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 38783
    • 571 Posts
    I am using Login.Register. The registration form is working OK and new users are setting up accounts.

    However I have had a few people complain that they have used very strong passwords that have been rejected. My code is as follows

    [[!Register?
    	&submitVar=`loginRegisterBtn`
    	&activationResourceId=`25`
    	&activationEmailTpl=`lgnActivateEmailTpl`
    	&activationEmailSubject=`Account Activation`
    	&submittedResourceId=`26`
    	&usergroups=`members`
    	&validate=`nospam:blank,	
    	password:required:minLength=^8^,
    	password_confirm:required:password_confirm=^password^,
    	email:required:email,
    	&ensurePasswordStrength=`1`
    	&ensurePasswordStrengthSuggestions=`5`
    	&maximumPossibleStrongerPasswords=`25`
    	&placeholderPrefix=`reg.`
    	&validationErrMsg=`There are some errors in the form.`
    ]]
    


    &ensurePasswordStrength should make it check for the strength of the password.

    &ensurePasswordStrengthSuggestions should make it suggest five alternatives to the password entered, if it thinks the password entered is weak.

    &maximumPossibleStrongerPasswords set to 25 (the default) seems to make it quite strict. I have experimented with numbers ranging from 30 to 300. Anything over 50 makes it accept pretty much anything. Anything lower than 50 makes it reject really complex passwords, but accept some really simple ones.

    With the above settings these two passwords were rejected:
    passwors
    BV+EaLBZmbQn+j+vEN5RsLHH0hwjIdsl

    With the above settings these two passwords were accepted:
    password
    BV+E4LBZmBQen+j+vEN5R$LHH0hwjId51

    The acceptance of the word password as a strong password with these setting really shocked me.

    I hope I am doing something wrong.

    If anyone has any ideas I would be grateful for your input.

    Versions in use:
    MODX 2.5.5
    Login 1.9.2 (I am aware of an upgrade to 1.9.3 being available and will try it out on the dev site, but I don't think it addresses the issue I have).

      If I help you out on these forums I would be very grateful if you would consider rating me on Trustpilot: https://uk.trustpilot.com/review/andytough.com

      email: [email protected] | website: https://andytough.com
      • 17301
      • 932 Posts
      I haven't used the new password strength function built into the Login extra but IMO it's better to handle with on the front-end anyway as you can have immediate feedback on the passwords and cross reference it with a list of common passwords to let the user know how secure their password is.

      I'm still developing this site but feel free to take a look as an example:
      http://alienbuild.uk/clients/register/

      The code is:

      <script src="https://cdnjs.cloudflare.com/ajax/libs/zxcvbn/4.4.2/zxcvbn.js"></script>
      
      <script>
      var strength = {
          0: "Worst ☹",
          1: "Bad ☹",
          2: "Weak ☹",
          3: "Good ☺",
          4: "Strong ☻"
      }
      
      var password = document.getElementById('password');
      var meter = document.getElementById('password-strength-meter');
      var text = document.getElementById('password-strength-text');
      
      password.addEventListener('input', function()
      {
          var val = password.value;
          var result = zxcvbn(val);
        
          // Update the password strength meter
          meter.value = result.score;
         
          // Update the text indicator
          if(val !== "") {
              text.innerHTML = "Strength: " + "<strong>" + strength[result.score] + "</strong>" + "<span class='feedback'>" + result.feedback.warning + " " + result.feedback.suggestions + "</span"; 
          }
          else {
              text.innerHTML = "";
          }
      });
      </script>
      [ed. note: lkfranklin last edited this post 6 years, 10 months ago.]
        ■ email: [email protected] | ■ website: https://alienbuild.uk

        The greatest compliment you can give back to us, is to spend a few seconds leaving a rating at our trustpilot: https://uk.trustpilot.com/review/alienbuild.uk about the service we provided. We always drop mention of services offered by businesses we've worked with in the past to those of interest.
        • 38783
        • 571 Posts
        Thank you LK. That's a very good idea. Much less frustrating for the user. The site you are developing looks good.
          If I help you out on these forums I would be very grateful if you would consider rating me on Trustpilot: https://uk.trustpilot.com/review/andytough.com

          email: [email protected] | website: https://andytough.com
          • 17301
          • 932 Posts
          Thank you! I keep getting so far with it and then getting distracted and addicited to a hidden game I added onto the homepage.
          http://alienbuild.uk
          password is sc00byd00

          Click on the rocket that animates in from the bottom. Level 26.

          ..One day I will finish the site! tongue

            ■ email: [email protected] | ■ website: https://alienbuild.uk

            The greatest compliment you can give back to us, is to spend a few seconds leaving a rating at our trustpilot: https://uk.trustpilot.com/review/alienbuild.uk about the service we provided. We always drop mention of services offered by businesses we've worked with in the past to those of interest.
            • 38783
            • 571 Posts
            Quite addictive isn't it!
              If I help you out on these forums I would be very grateful if you would consider rating me on Trustpilot: https://uk.trustpilot.com/review/andytough.com

              email: [email protected] | website: https://andytough.com
            • That script solution is nice, but you can't be sure on server side that the password is strong enough. Is there a PHP library out there, that does the same?
                • 17301
                • 932 Posts
                Yeah there's a php version of the same lib

                https://github.com/bjeavons/zxcvbn-php/blob/master/README.md
                  ■ email: [email protected] | ■ website: https://alienbuild.uk

                  The greatest compliment you can give back to us, is to spend a few seconds leaving a rating at our trustpilot: https://uk.trustpilot.com/review/alienbuild.uk about the service we provided. We always drop mention of services offered by businesses we've worked with in the past to those of interest.