Forums | Mahara Community

Developers /
change Password Policy to letters

Stefan Meier's profile picture
Posts: 9

22 April 2018, 10:40

HI there

I just upgraded to mahara 18.4 and noticed that the password minimum requirements must have changed.


As far as I remember the minimum was just 8 letters (no capitals) or am I wrong?

Anyway I do not want our students to be bothered and want to change it back to the minimum

So I was digging in the code and probably found the line  in   / auth / internal / lib.php

that defines the requirements. I do not really know any php so could anyone help me out? how to remove capital letters from the minimum Password requirements?


 public function is_password_valid($password) {
        list($minlength, $format) = get_password_policy(true);

        if (!preg_match('/^[a-zA-Z0-9 [email protected]#\$%\^&\*\(\)_\-=\+\,\.<>\/\?;:"\[\]\{\}\\\|`\']{' . $minlength . ',}$/', $password)) {
            return false;

        $containsLetter = preg_match('/\pL/',       $password); // '/[a-zA-Z]/'
        $containsNumber = preg_match('/\pN/',       $password); // '/\d/'
        $containsSymbol = preg_match('/[^\pL\pN]/', $password); // '/[^a-zA-Z\d]/'

        if ($format == 'ul') {
            return $containsLetter;
        if ($format == 'uln') {
            return ($containsLetter && $containsNumber);
        if ($format == 'ulns') {
            return ($containsLetter && $containsNumber && $containsSymbol);

        return false;

Stefan Meier's profile picture
Posts: 9

22 April 2018, 10:45

Just tested the lowest settings.

Upper and lowercase letters:

I used a password containing no capital letters and a number.

using eg. legert1234 would not work but legert1200 would.

this is fine for me as i is back to the requirements i wanted but might that be a bug? Should it not request at least one capital letter?

Kristina Hoeppner's profile picture
Posts: 4065

22 April 2018, 12:54

Hello Stefan,

Thank you for reporting the issue that uppercase letters are ignored. I created a bug report at That won't help you as you like the current code to have weaker passwords, but we should fix that. ;-)

We decided to make upper and lowercase letters and 8 characters the minimum requirement because anything else would only took a few minutes to crack:




3 results