Minimum Password Length
 

What is this?
This mod will allow you to force user passwords to be at least a certain length.


Features

• Force minimum length on:
  • Registration
  • Edit Password
  • Reset Password

I've only tested this mod on vB 4.1.4/4.1.5 (alpha). It should work with previous versions, however I am not sure. If it works for you on an older version, let me know.


Installation
1. Download the `product-password_minlength.xml` file. (* may differ in name based on version)
2. Enter your AdminCP and go to Plugins & Products > Manage Products > [Add/Import Product]
3. Import the product using the `product-password_minlength.xml` file. (* may differ in name based on version)
4. Configure the mod in AdminCP -> Settings -> Options -> User Registration Options


Upgrading
In many cases, all you'll need to do to upgrade is follow the installation instructions above, but set "Allow Overwrite" to "Yes".


Changelog
Version 1.0.2, 07/05/2011

• Changed the "Check Method" choice from a drop down to radio buttons (Boofo ;) )
• Changed how the "UserId" "Check Method" works - it now is used for escluding User ID's
• Fixed a bug in the plugin for updating profile - was not checking if a new password had been entered.

Version 1.0.1, 06/07/2011

• Introduced three new options and one new plugin.
• The new options are based around a "Check Method". You can choose to enforce the min. password length by userid, usergroup, or 'none' (all).

Version 1.0.0, 05/31/2011

• Initial release.

Reserved.

Thank you Eric! :D

Nice idea, Eric!

Works on vB 4.1.3,.. I did notice while importing it- that it gave an error of some sort but it finished importing to quickly before I had a chance to actually read the error. Everyting seems to be working fine though. Thanks, marked "Installed".

Thanks Lynne. :) I've seen a few folks request this several times so I finally decided to give it a go. I also thought it would be something useful given what is happening with passwords etc recently :)

That is odd. I will see if I can get my hands on 4.1.3 and see what that error might have been. There is not really anything in the file that should cause an error. :/

tagged and thanks

can the mod dictate that a minimum of 1 Capital letter and I Digit must be used ?

Tag for future. It would be great if we have a complex password mod.

Thanks

Excellent idea, sir. ;)

What is a good default setting for the length? I think 14 might be a little too long for some users to accept without whining. ;)

Also, I saw no error on importing the product on 4.1.3. Maybe another mod was not playing nice with the OP setup.

It is not possible to do that with this mod... at least, not yet. I will see what I can do. :)

Thank you :)
A good, secure, password is typically 12-16 (roughly) characters. But, I can understand some users having difficulty with that. I would say a good compromise would be 8 characters.

As for 4.1.3, that is what I was thinking - that maybe another mod was conflicting with it. Hopefully it is not an error with this mod itself. :)

I compromised and set it at 10.

I didn't see anything in the code that would cause an error on import. I wouldn't worry about it unless you get anyone else having the same issues.

I would suggest maybe adding a setting for certain userids that could bypass the length check.

That is a good idea Boofo, will implement it in the next release.

I suggest if possible add a feature to this mod to enforce minimum lengths on mod and admin accounts only.

Honestly it is extremely unlikely I wold join a forum requiring me to have a password over 6 to 8 characters.

Because... unless I'm a mod or admin, it's JUST a forum. NO ONE cares about my account and I care even less. So what someone cracks my password? Very unlikely on vBulletin where you can't brute-force your way in because it will lock you out after a few bad tries... I'm not going to jump through hoops to join a forum unless they are the only forum in their niche- and I know most admins can't claim that.

Just my opinion.

I totally disagree.

I would disagree, actually. I think every member should have as secure a password as possible. These days when you have things like KeePass, etc - and browsers that will save the password... what is an extra 2-3 characters? Besides, the limit in this mod is configurable.

I may add a usergroup option though, we'll see. :)

I think a userid option would be better. ;)

Well obviously it's your mod... I'm just saying I think putting a 10 or 14 character minimum on regular user account on most forums is like putting a bank vault door on an empty shed in a rural area... Yeah it's more protection, but for what?

You have to balance security vs. the user experience and most forums don't need this type of security on their standard accounts. Admins need to realize IMO most of their sites aren't all that important in the scheme of things. If it was a bank account or medical history then yeah, by all means, enforce strong passwords... but a forum to talk about cars or art or video games? I'd be more concerned about frustrating new and existing members with password requirements far surpassing any bank account I've ever used and having them stop coming.

I use KeePass myself but I'm not going to go through the effort of making a new entry for every single forum I'm a member of. LOL.

Anyway, my suggestion is an option to enforce for mods and admins only... all other opinions aside.

This would be great if you could enforce this on a usergroup basis and not the regular members

That makes absolutely no sense. Why even use it then?

Not everyone feels their forums or members security are as unimportant as you feel they are.

Because regular users have "no powers." If someone hacked a regular user account worst thing they could do is post as them... So what if that happens?

Mod and Admin accounts however need to be protected for the security of the forum and the protection of member's private info.

Thanks for the update. The only thing I would suggest is changing the "Minimum Password Length: Check Method" option to radio:piped instead of select:piped. And I would have excluded userids instead of including them.

Why change to the radio:piped?

And for the userids, that is what I had initially and tbh, don't even remember why I thought it should be changed - would not take much to change it back.

A coding preference, I guess, as well as it shows all options instead of having to scroll through a drop-down box.

I was wondering if maybe it was a simple mistake on your end. ;)

Because to enforce staff having a more secure password than the normal users. Extra security is really not needed for normal users. If they are concerned about that , they will have a strong password. I WANT my staff to have a secure password , but there is no way to enforce that. This would be perfect with tweeks.

So yes , it does make sense :-)

To you, maybe. I think my users are just as important as the staff and therefore should be given the same concern. Having their accounts hacked could be just as disastrous, if not more so, than any staff members.

You should require it for admins/moderators and not regular users, trust me- they dislike it. But then again, any secure-minded admin already has a long enough, difficult to guess password. HAd this installed but users couldn't actually register- they all kept getting a "password doesn't contain required amount of characters, please try again" error, or something to that effect. Ending up having to disable it for the time being.

I've tested this mod several times across 4.1.3 and 4.1.4 - works fine. You sure they actually were meeting the requirement? ;)

This hack works on VB 4.1.1

Nice work thanks

ND

A member tried to change their email address tonight and they got this error:


The password they use is 11 characters. They tried it three times and kept getting the error. I have it set to 10.

Hmm, I think I see a cause for this - were they even trying to update their password, or just email?

No, I think they were just trying to update their email.

Ah, that is what I assumed. The update should fix that. :)

Okay, thanks. ;)

Installed and working

4.1.8

this should be default for vbulletin

4.1.12

Installed and working

Thanks