22 April 2018, 10:40

HI there

I just upgraded to mahara 18.4 and noticed that the password minimum requirements must have changed.

As far as I remember the minimum was just 8 letters (no capitals) or am I wrong?

Anyway I do not want our students to be bothered and want to change it back to the minimum

So I was digging in the code and probably found the line  in   / auth / internal / lib.php

that defines the requirements. I do not really know any php so could anyone help me out? how to remove capital letters from the minimum Password requirements?

 public function is_password_valid($password) {
        list($minlength, $format) = get_password_policy(true);

        if (!preg_match('/^[a-zA-Z0-9 ~!@#\$%\^&\*\(\)_\-=\+\,\.<>\/\?;:"\[\]\{\}\\\|`\']{' . $minlength . ',}$/', $password)) {
            return false;
        }

        $containsLetter = preg_match('/\pL/',       $password); // '/[a-zA-Z]/'
        $containsNumber = preg_match('/\pN/',       $password); // '/\d/'
        $containsSymbol = preg_match('/[^\pL\pN]/', $password); // '/[^a-zA-Z\d]/'

        if ($format == 'ul') {
            return $containsLetter;
        }
        if ($format == 'uln') {
            return ($containsLetter && $containsNumber);
        }
        if ($format == 'ulns') {
            return ($containsLetter && $containsNumber && $containsSymbol);
        }

        return false;
    }

22 April 2018, 10:45

Just tested the lowest settings.

Upper and lowercase letters:

I used a password containing no capital letters and a number.

using eg. legert1234 would not work but legert1200 would.

this is fine for me as i is back to the requirements i wanted but might that be a bug? Should it not request at least one capital letter?

22 April 2018, 12:54

Hello Stefan,

Thank you for reporting the issue that uppercase letters are ignored. I created a bug report at https://bugs.launchpad.net/mahara/+bug/1766041 That won't help you as you like the current code to have weaker passwords, but we should fix that. ;-)

We decided to make upper and lowercase letters and 8 characters the minimum requirement because anything else would only took a few minutes to crack: https://www.inetsolution.com/inetsolution/media/images/blog/image-password.png

Cheers

Kristina