Strength meter does not match WordPress requirements

  • Resolved kalleaume

    (@kalleaume)


    3 years, 1 month ago

    I have tested the strength meter in this plugin to determine what is classified as a ‘Strong’ password. I found that the password was classified as ‘Strong’ if it simply has 9 characters, and there is no requirement for a combination of letters, numbers and special characters. I discovered that the user’s password is approved and their registration form is successful, even if their 9-character password simply has:

    • lowercase letters only (no uppercase letters, numbers or special characters)
    • uppercase letters only (no lowercase letters, numbers or special characters)
    • special characters only (no letters or numbers)
    • numbers only (no letters or special characters).

    This is not consistent with the WordPress security rules, which require all passwords to have: “at least twelve characters long. To make it stronger, use upper and lower case letters, numbers, and symbols like ! ” ? $ % ^ & )”.

    This means that even though a user is allowed to create a 9-character password with your plugin, WordPress then requires the user to update their password the next time they login. This is very clunky and not user-friendly. How can we make the strength meter in your plugin match the WordPress requirements? If a user’s password is approved at registration, it should be a viable password that they can use to login.

    Also, the Settings page in your plugin says that a ‘Strong’ password is defined as “Minimum one uppercase letter, a number, a special character and must be 8 characters”. This is inaccurate, as shown by my tests listed above.

    • This topic was modified 3 years, 1 month ago by kalleaume.
Viewing 14 replies - 1 through 14 (of 14 total)
  • Plugin Support Amrit Kumar Shrestha

    (@shresthauzwal)

    3 years ago

    Hi @kalleaume,

    Thank you for the information,

    We have tested and replicated the issue on our testing environment. We will fix this issue in our upcoming update of the plugin.

    Regards!

    Thread Starter kalleaume

    (@kalleaume)

    3 years ago

    Thank you for your reply @shresthauzwal. I look forward to the update and will confirm once the issue has been resolved. Do you have an estimated timeframe on when the update will be released?

    Plugin Support Amrit Kumar Shrestha

    (@shresthauzwal)

    3 years ago

    Hi @kalleaume,

    We will release a major update of the plugin, which will take at least one month.

    Regards!

    Thread Starter kalleaume

    (@kalleaume)

    3 years ago

    I look forward to it! I’ll mark this post as ‘resolved’ once the issue has been resolved. Thank you.

    Thread Starter kalleaume

    (@kalleaume)

    3 years ago

    Or, do you have a code snippet that we could apply in the meantime, until the major update is released? If so, then I can test this solution and mark the issue as resolved before the next plugin update.

    • This reply was modified 3 years ago by kalleaume.
    Plugin Support Amrit Kumar Shrestha

    (@shresthauzwal)

    3 years ago

    Hi @kalleaume,

    We do not have a hook in this feature, so we can not provide the code snippet. As we mentioned, the issue will be fixed in our upcoming update.

    Regards!

    Thread Starter kalleaume

    (@kalleaume)

    3 years ago

    Ok thank you! I look forward to the issue being resolved.

    Plugin Support Amrit Kumar Shrestha

    (@shresthauzwal)

    3 years ago

    Hi @kalleaume,

    We have fixed the Strong Password issue and released the update. With a Minimum of one uppercase letter, a number, a special character, and it must be eight characters.

    Please update the plugin and check whether the issue is resolved or not.

    Regards!

    Thread Starter kalleaume

    (@kalleaume)

    3 years ago

    Hi @shresthauzwal,

    As mentioned in my original post, the WordPress security rules require all passwords to have at least twelve characters. If your password criteria is set to only 8 characters, then the original issue will still persist, whereby WordPress will still require users to reset their password after your plugin has accepted their password.

    Can you please clarify if you’re intending to update the password requirement to 12 characters in order to overcome this issue?

    Thanks!

    Plugin Support Amrit Kumar Shrestha

    (@shresthauzwal)

    3 years ago

    Hi @kalleaume,

    In the previous version plugin, we added the wrong information, so we corrected the message and fixed the issue of a strong password. The strong password can not be implemented according to your requirements.

    However, we appreciate your suggestion and will consider it for inclusion in a future release. We will inform you as soon as the feature becomes available.

    To request new features for the User registration plugin, please use the FeedBear link provided: https://wpeverest.com/wordpress-plugins/user-registration/feature-request/.

    Regards!


    Thread Starter kalleaume

    (@kalleaume)

    2 years, 12 months ago

    Hi @shresthauzwal

    I’m confused by your statement “The strong password can not be implemented according to your requirements.”

    I wasn’t asking for it to be implemented according to my requirements. I was asking for it to align with the standard WordPress requirements (as indicated in my original post and the post title itself).

    As far as I’m aware, WordPress security rules require all passwords to have at least twelve characters. Are you saying that this is not the case?

    • This reply was modified 2 years, 12 months ago by kalleaume.
    Plugin Support Amrit Kumar Shrestha

    (@shresthauzwal)

    2 years, 12 months ago

    Hi @kalleaume,

    We need to ensure that the feature is suitable for all users. The main goal of the plugin is to offer additional functionality, rather than duplicating features already provided by default in WordPress. It wouldn’t make sense to include the same feature that is already available. We have set a limit of 8 characters, which requires at least one uppercase letter and one special character, ensuring strong security.

    The User Registration free plugin is ready for GPL3 licensing, allowing you to freely modify and use it on your website. If you require a password with twelve characters for added strength, you can customize the plugin to meet your specific requirements.

    Regards!

    Thread Starter kalleaume

    (@kalleaume)

    2 years, 12 months ago

    Sorry, I’m still confused. This issue that I posted is “Strength meter does not match WordPress requirements”. And you have marked this issue as resolved. However…

    • Your plugin’s strength meter allows user’s to create a password of 8 characters.
    • WordPress requires a password of 12 characters minimum.
    • This means that even though a user is allowed to create an 8-character password with your plugin, WordPress then requires the user to update their password the next time they login. This is very clunky and means your registration form is not usable.
    • Can you please clarify if I am misunderstanding something? For example, does your WordPress installation only require an 8-character password, and therefore users are not prompted to reset their password afterwards?
    Thread Starter kalleaume

    (@kalleaume)

    2 years, 11 months ago

    After not hearing back from you, I’ve conducted additional research and discovered that the answer to my question is that not all WordPress sites require passwords with a minimum of 12 characters.

    I discovered that it was the iThemes security plugin on our site that was imposing the 12-character password requirement for all users. After removing this requirement, your plugin — which requires 11 characters on the strength meter — works fine.

Viewing 14 replies - 1 through 14 (of 14 total)

The topic ‘Strength meter does not match WordPress requirements’ is closed to new replies.