What is this?
This mod will allow you to force user passwords to be at least a certain length.


Features

Force minimum length on:

Registration
Edit Password
Reset Password



I've only tested this mod on vB 4.1.4/4.1.5 (alpha). It should work with previous versions, however I am not sure. If it works for you on an older version, let me know.


Installation
1. Download the `product-password_minlength.xml` file. (* may differ in name based on version)
2. Enter your AdminCP and go to Plugins & Products > Manage Products > [Add/Import Product]
3. Import the product using the `product-password_minlength.xml` file. (* may differ in name based on version)
4. Configure the mod in AdminCP -> Settings -> Options -> User Registration Options


Upgrading
In many cases, all you'll need to do to upgrade is follow the installation instructions above, but set "Allow Overwrite" to "Yes".


Changelog
Version 1.0.2, 07/05/2011

Changed the "Check Method" choice from a drop down to radio buttons (Boofo ;) )
Changed how the "UserId" "Check Method" works - it now is used for escluding User ID's
Fixed a bug in the plugin for updating profile - was not checking if a new password had been entered.


Version 1.0.1, 06/07/2011

Introduced three new options and one new plugin.
The new options are based around a "Check Method". You can choose to enforce the min. password length by userid, usergroup, or 'none' (all).


Version 1.0.0, 05/31/2011

Initial release.

Reserved.

Thank you Eric! :D

Nice idea, Eric!

Works on vB 4.1.3,.. I did notice while importing it- that it gave an error of some sort but it finished importing to quickly before I had a chance to actually read the error. Everyting seems to be working fine though. Thanks, marked "Installed".

Nice idea, Eric!
Thanks Lynne. :) I've seen a few folks request this several times so I finally decided to give it a go. I also thought it would be something useful given what is happening with passwords etc recently :)

Works on vB 4.1.3,.. I did notice while importing it- that it gave an error of some sort but it finished importing to quickly before I had a chance to actually read the error. Everyting seems to be working fine though. Thanks, marked "Installed".
That is odd. I will see if I can get my hands on 4.1.3 and see what that error might have been. There is not really anything in the file that should cause an error. :/

tagged and thanks

can the mod dictate that a minimum of 1 Capital letter and I Digit must be used ?

Tag for future. It would be great if we have a complex password mod.

Thanks

Excellent idea, sir. ;)

What is a good default setting for the length? I think 14 might be a little too long for some users to accept without whining. ;)

Also, I saw no error on importing the product on 4.1.3. Maybe another mod was not playing nice with the OP setup.

tagged and thanks

can the mod dictate that a minimum of 1 Capital letter and I Digit must be used ?

Tag for future. It would be great if we have a complex password mod.

Thanks
It is not possible to do that with this mod... at least, not yet. I will see what I can do. :)

Excellent idea, sir. ;)
Thank you :)
What is a good default setting for the length? I think 14 might be a little too long for some users to accept without whining. ;)

Also, I saw no error on importing the product on 4.1.3. Maybe another mod was not playing nice with the OP setup.
A good, secure, password is typically 12-16 (roughly) characters. But, I can understand some users having difficulty with that. I would say a good compromise would be 8 characters.

As for 4.1.3, that is what I was thinking - that maybe another mod was conflicting with it. Hopefully it is not an error with this mod itself. :)

I compromised and set it at 10.

I didn't see anything in the code that would cause an error on import. I wouldn't worry about it unless you get anyone else having the same issues.

I would suggest maybe adding a setting for certain userids that could bypass the length check.

I compromised and set it at 10.

I didn't see anything in the code that would cause an error on import. I wouldn't worry about it unless you get anyone else having the same issues.

I would suggest maybe adding a setting for certain userids that could bypass the length check.
That is a good idea Boofo, will implement it in the next release.

I compromised and set it at 10.

I didn't see anything in the code that would cause an error on import. I wouldn't worry about it unless you get anyone else having the same issues.

I would suggest maybe adding a setting for certain userids that could bypass the length check.

I suggest if possible add a feature to this mod to enforce minimum lengths on mod and admin accounts only.

Honestly it is extremely unlikely I wold join a forum requiring me to have a password over 6 to 8 characters.

Because... unless I'm a mod or admin, it's JUST a forum. NO ONE cares about my account and I care even less. So what someone cracks my password? Very unlikely on vBulletin where you can't brute-force your way in because it will lock you out after a few bad tries... I'm not going to jump through hoops to join a forum unless they are the only forum in their niche- and I know most admins can't claim that.

Just my opinion.

I suggest if possible add a feature to this mod to enforce minimum lengths on mod and admin accounts only.

Honestly it is extremely unlikely I wold join a forum requiring me to have a password over 6 to 8 characters.

Because... unless I'm a mod or admin, it's JUST a forum. NO ONE cares about my account and I care even less. So what someone cracks my password? Very unlikely on vBulletin where you can't brute-force your way in because it will lock you out after a few bad tries... I'm not going to jump through hoops to join a forum unless they are the only forum in their niche- and I know most admins can't claim that.

Just my opinion.

I totally disagree.

I suggest if possible add a feature to this mod to enforce minimum lengths on mod and admin accounts only.

Honestly it is extremely unlikely I wold join a forum requiring me to have a password over 6 to 8 characters.

Because... unless I'm a mod or admin, it's JUST a forum. NO ONE cares about my account and I care even less. So what someone cracks my password? Very unlikely on vBulletin where you can't brute-force your way in because it will lock you out after a few bad tries... I'm not going to jump through hoops to join a forum unless they are the only forum in their niche- and I know most admins can't claim that.

Just my opinion.
I would disagree, actually. I think every member should have as secure a password as possible. These days when you have things like KeePass, etc - and browsers that will save the password... what is an extra 2-3 characters? Besides, the limit in this mod is configurable.

I may add a usergroup option though, we'll see. :)

I would disagree, actually. I think every member should have as secure a password as possible. These days when you have things like KeePass, etc - and browsers that will save the password... what is an extra 2-3 characters? Besides, the limit in this mod is configurable.

I may add a usergroup option though, we'll see. :)

I think a userid option would be better. ;)

Well obviously it's your mod... I'm just saying I think putting a 10 or 14 character minimum on regular user account on most forums is like putting a bank vault door on an empty shed in a rural area... Yeah it's more protection, but for what?

You have to balance security vs. the user experience and most forums don't need this type of security on their standard accounts. Admins need to realize IMO most of their sites aren't all that important in the scheme of things. If it was a bank account or medical history then yeah, by all means, enforce strong passwords... but a forum to talk about cars or art or video games? I'd be more concerned about frustrating new and existing members with password requirements far surpassing any bank account I've ever used and having them stop coming.

I use KeePass myself but I'm not going to go through the effort of making a new entry for every single forum I'm a member of. LOL.

Anyway, my suggestion is an option to enforce for mods and admins only... all other opinions aside.

I think a userid option would be better. ;)

This would be great if you could enforce this on a usergroup basis and not the regular members

This would be great if you could enforce this on a usergroup basis and not the regular members

That makes absolutely no sense. Why even use it then?

Well obviously it's your mod... I'm just saying I think putting a 10 or 14 character minimum on regular user account on most forums is like putting a bank vault door on an empty shed in a rural area... Yeah it's more protection, but for what?

You have to balance security vs. the user experience and most forums don't need this type of security on their standard accounts. Admins need to realize IMO most of their sites aren't all that important in the scheme of things. If it was a bank account or medical history then yeah, by all means, enforce strong passwords... but a forum to talk about cars or art or video games? I'd be more concerned about frustrating new and existing members with password requirements far surpassing any bank account I've ever used and having them stop coming.

I use KeePass myself but I'm not going to go through the effort of making a new entry for every single forum I'm a member of. LOL.

Anyway, my suggestion is an option to enforce for mods and admins only... all other opinions aside.

Not everyone feels their forums or members security are as unimportant as you feel they are.

That makes absolutely no sense. Why even use it then?

Because regular users have "no powers." If someone hacked a regular user account worst thing they could do is post as them... So what if that happens?

Mod and Admin accounts however need to be protected for the security of the forum and the protection of member's private info.

Version 1.0.1, 06/07/2011
Introduced three new options and one new plugin.
The new options are based around a "Check Method". You can choose to enforce the min. password length by userid, usergroup, or 'none' (all).

Thanks for the update. The only thing I would suggest is changing the "Minimum Password Length: Check Method" option to radio:piped instead of select:piped. And I would have excluded userids instead of including them.

Thanks for the update. The only thing I would suggest is changing the "Minimum Password Length: Check Method" option to radio:piped instead of select:piped. And I would have excluded userids instead of including them.
Why change to the radio:piped?

And for the userids, that is what I had initially and tbh, don't even remember why I thought it should be changed - would not take much to change it back.

Why change to the radio:piped?

A coding preference, I guess, as well as it shows all options instead of having to scroll through a drop-down box.

And for the userids, that is what I had initially and tbh, don't even remember why I thought it should be changed - would not take much to change it back.

I was wondering if maybe it was a simple mistake on your end. ;)

That makes absolutely no sense. Why even use it then?

Because to enforce staff having a more secure password than the normal users. Extra security is really not needed for normal users. If they are concerned about that , they will have a strong password. I WANT my staff to have a secure password , but there is no way to enforce that. This would be perfect with tweeks.

So yes , it does make sense :-)

To you, maybe. I think my users are just as important as the staff and therefore should be given the same concern. Having their accounts hacked could be just as disastrous, if not more so, than any staff members.

You should require it for admins/moderators and not regular users, trust me- they dislike it. But then again, any secure-minded admin already has a long enough, difficult to guess password. HAd this installed but users couldn't actually register- they all kept getting a "password doesn't contain required amount of characters, please try again" error, or something to that effect. Ending up having to disable it for the time being.

You should require it for admins/moderators and not regular users, trust me- they dislike it. But then again, any secure-minded admin already has a long enough, difficult to guess password. HAd this installed but users couldn't actually register- they all kept getting a "password doesn't contain required amount of characters, please try again" error, or something to that effect. Ending up having to disable it for the time being.

I've tested this mod several times across 4.1.3 and 4.1.4 - works fine. You sure they actually were meeting the requirement? ;)

This hack works on VB 4.1.1

Nice work thanks

ND

A member tried to change their email address tonight and they got this error:

The password you entered is not long enough. Your password needs to be at least 10 characters in length.


The password they use is 11 characters. They tried it three times and kept getting the error. I have it set to 10.

A member tried to change their email address tonight and they got this error:




The password they use is 11 characters. They tried it three times and kept getting the error. I have it set to 10.

Hmm, I think I see a cause for this - were they even trying to update their password, or just email?

Version 1.0.2, 07/05/2011

Changed the "Check Method" choice from a drop down to radio buttons (Boofo ;) )
Changed how the "UserId" "Check Method" works - it now is used for escluding User ID's
Fixed a bug in the plugin for updating profile - was not checking if a new password had been entered.

Hmm, I think I see a cause for this - were they even trying to update their password, or just email?

No, I think they were just trying to update their email.

No, I think they were just trying to update their email.
Ah, that is what I assumed. The update should fix that. :)

Okay, thanks. ;)

Installed and working

4.1.8

this should be default for vbulletin

4.1.12

Installed and working

Thanks

nice idea with this mod indeed but when you have vbsecurity i feel there is no need for this i have joined a lot forums some i joined just to give a look arorund cause the forums have been closed to guests if they had this mod in place i sure wouldnt ....

now if you could implement how strong a p/w was i wouldnt mind that but password length is no biggie to me and i am with bop on that

Would be great if it checked the strength of the password. So you can set it to 50% strong.

Installed. 4.2 PL 1

Would be great if it checked the strength of the password. So you can set it to 50% strong.

The problem is that you need code to compute the bit strength of the password. i.e. a password A-Z, a-z, 0-9 of 44 characters would have a bit strength around 256-bit cipher strength password.

Doesnt want to work on my 4.2.1. ....

3.8 Version???

Hmmm nice mod

installed on 4.2.0...It's been baking for about a week and doing all we wanted
forces users with week pw's to reset to our determined length.

EDIT:

Works in 4.2.2. Thank you!

Would be amazing to have a way to also force users to include upper case letters / numbers / special characters in addition to a minimum password length.

I saw that this guy is building on this mod and trying to implement it, but it seems a big buggy still and i am reluctant to install it until it is more secure.

https://vborg.vbsupport.ru/showthread.php?t=316017

Thanks Eric!

Any plans for an updated version?

Doesn't seem to work on 4.2.2.

I installed it and applied the min password length checking and could still login with a test user in a test usergroup that only had a 3 digit password.

:-(
I have it working on 4.2.3 and before was working on 4.2.2

I have it working on 4.2.3 and before was working on 4.2.2

I was working under the misconception that it would prompt a user with a short password to change it upon logon. This is not the case.

It tells you all it can do in the op post I know many who download plugins never read all the info but it does help to

Features
Force minimum length on:
Registration
Edit Password
Reset PasswordIf you ask the coder to see if they will add the options you need they might update it

Any plans to port this to vb 5.1.6 ?

Just upgraded to 4.2.2 PL 4 and this plugin caused a blank register.php page. Disabled and the blank page disappeared.

Apologies for waking this thread up after a number of years. But does anyone know (or can confirm) if this modification works with vB 4.2.5?

Thanks