Change password reqts with NO plugin without breaking resetpass link?

(@gladsong)

I'm trying to change password requirements in WP 6.1.1 without using a plugin.

It's a clean install with just

  wp-cli plugin list

    +---------------------------------------+----------+--------+------------+
    | name                                  | status   | update | version    |
    +---------------------------------------+----------+--------+------------+
    | astra-addon                           | active   | none   | 4.0.1      |
    | wp-native-php-sessions                | active   | none   | 1.3.4      |
    | nginx-helper                          | active   | none   | 2.2.2      |
    | ultimate-addons-for-gutenberg         | active   | none   | 2.3.5      |
    | astra-sites                           | active   | none   | 3.1.27     |
    | wp-crontrol                           | active   | none   | 1.15.1     |
    | flush-opcache                         | active   | none   | 4.2.0      |
    | wp-redis                              | active   | none   | 1.3.3      |
    | object-cache.php                      | dropin   | none   |            |
    +---------------------------------------+----------+--------+------------+


In CORE, I see the 'random_password' filter in

  wp-includes/pluggable.php

    2575  if ( ! function_exists( 'wp_generate_password' ) ) :
            /**
             * Generates a random password drawn from the defined set of characters.
    ...
>>                return apply_filters( 'random_password', $password, $length, $special_chars, $extra_special_chars );
            }
        endif;


I add this to my child theme, which (a) sets (minimum?) password length to 24, and (b) limits the set of 'special characters' to  == '!_-+#',

  functions.php

  ...
      function my_random_password() {

        $randomizer = new Random\Randomizer();
        $chars="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!_-+#";
        $length=24;

        $password = '';
        for ($i = 0; $i < $length; $i++) {
          $index = $randomizer->getInt(0,strlen($chars)-1);
              $password .= $chars[$index];
          }
       
          return $password;
      )
      add_filter('random_password', 'my_random_password', 99, 4);
  ...

When I register a new user @ the default WP 'Register' form I enter in 'username' + 'email', and click to submit.

I receive the Login Details email, with the set-password link

  Username: testuser

  To set your password, visit the following address:

>>  https://example.com/login/?action=rp&key=kE#qLOGp_16M_p7XKu2p#xHi&login=testuser

  https://example.com/login/

If I click that link, it redirects to

  https://example.com/login/?action=lostpassword&error=invalidkey#qLOGp_16M_p7XKu2p#xHi&login=testuser

and displays this ERROR

  Error: Your password reset link appears to be invalid. Please request a new link below.

If I change to remove special characters

-  $chars="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!_-+#";
+  $chars="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789;

and repeat the process, a reset link is generated

  https://example.com/login/?action=rp&key=bLXf6zTpFaDNLg64aGZqaX8t&login=testuser

where the 'key' has NO special characters, and the registration works.

How do you change the WP login/register password requirements to include special characters but NOT break the login link?

Viewing 3 replies - 1 through 3 (of 3 total)

Moderator threadi
(@threadi)

3 years, 2 months ago

If you want to check the password complexity, it makes little sense to start with a password generation function. As you can see, this is also used by other components.

Have a look at the hook check_passwords: https://developer.ww.wp.xz.cn/reference/hooks/check_passwords/

Sometimes it is also worth to have a look at the source code of plugins that already implement this. E.g.: https://ww.wp.xz.cn/plugins/password-policy-manager/ or iThemeSecurity.

Thread Starter gladsong
(@gladsong)

3 years, 2 months ago

Hi,

I’m not just trying to cehck the validity, I’m trying to generate the password according to my criteria, and have WP use it. For example when manually clicking on the “generate password” , or when the password field is auto-populated with a generated password.

And, yep. I’ve looked at the code of every plugin I can get my hands on. Including iThemes. Huge overkill, and as far as I can tell they rip out the core stuff, and do lots their own way

So, yes, I want several components to use ‘my’ intended password. I just need to understand how to NOT have other components use it, like that resetlink I mentioned above.
Moderator threadi
(@threadi)

3 years, 2 months ago
If you are concerned with clicking “generate password”, then you could set an AJAX request as a condition in your function. Because the click triggers exactly this. All functions that come to the filter “random_password” without AJAX would then remain unaffected by your function.

Example:
```
function my_random_password( $password, $length, $special_chars, $extra_special_chars ) {
   if( !defined('DOING_AJAX') ) {
    return $password;
   }
   // your function ..
   return $yourpassword;
}
add_filter('random_password', 'my_random_password', 99, 4);
```

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Change password reqts with NO plugin without breaking resetpass link?’ is closed to new replies.

Change password reqts with NO plugin without breaking resetpass link?

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics