Passwords are required to be significantly longer since the 23 release, and the Password rules displayed in User Accounts for the (Admin)user haven't been updated.
The poor admin who tries to follow the rules printed in User Accounts Add/Edit User page will not successfully be able to save a password.
Haven't checked but I would also suspect the password rules printed in the Reset Password feature would need an update too.
Haowei i think this could be a nice easy bug in the text we show front-end users.
@laemtl can you guide him through the process?
First steps in looking into this bug will include:
Then : issue a Pull Request (PR) to the main branch with these changes, and ask @laemtl to Review and also Test your changes.
One easy way to understand the different rules is to look at the code:
https://github.com/aces/Loris/blob/62a09948d516c3aed3c88022f545240cf2457516/modules/my_preferences/test/my_preferencesTest.php#L299
https://github.com/aces/Loris/blob/62a09948d516c3aed3c88022f545240cf2457516/php/libraries/Password.class.inc#L33
https://github.com/aces/Loris/blob/62a09948d516c3aed3c88022f545240cf2457516/modules/my_preferences/php/my_preferences.class.inc#L11
https://github.com/aces/Loris/blob/247bef9daf03ca64af2485f06cfe2eab77d046a0/modules/user_accounts/test/user_accountsTest.php#L448
https://github.com/aces/Loris/blob/2b9244421fc33e57588bb41f5d4da951b9d91ce5/modules/user_accounts/php/edit_user.class.inc#L28
https://github.com/aces/Loris/blob/62a09948d516c3aed3c88022f545240cf2457516/php/libraries/User.class.inc#L490
as well as the Test plan:
https://github.com/aces/Loris/blob/62a09948d516c3aed3c88022f545240cf2457516/modules/login/test/Reset_Password_Test_Plan.md
Hi @christinerogers and @laemtl,
Based on your instructions, I looked into the password rules.
The recent PRs relating to password rules changes (for Release 23.0.0) are: #6705, #6615, #6611, #6510, #6341, #6330, #5974, and #5958. However, I did not find any PRs relating to password rules changes for Release 23.0.1, 23.0.2, and 23.0.3 so far.
The recent PR that modified the password rules is #5974.
The classes that mentioned the password rules (for LORIS Frontend) are: form_passwordexpiry.tpl, form_my_preferences.tpl, and form_edit_user.tpl.
Based on #5974 and my personal experience add/edit the password in LORIS, I think that the current password rules listed in Frontend generally explain all the password rules. However, I found that the current LORIS password rules did not mention the use of Zxcvbn library, should I improve and mention this?
Thank you very much!
If the error message is self-explanatory I think it's fine.
@laemtl I think that this issue could be closed?
Hi Haowei, to clarify --
What is the new length of password that must be entered when changing a password in User Accounts?
Does the password-rules instructions to users as shown in the page accurately reflect this?
That's what this issue is asking to resolve.
@christinerogers I tried to add a new user and the minimum length of password was 8. I think that the current password rules to users generally reflect the actual password rules.
Hi @haoweiqiu -- you think or you're sure? if you're sure, we can close this issue.
@christinerogers I confirm.
@christinerogers I think I'm sure.
closing this issue.
@christinerogers, @haoweiqiu After further investigation, zxcvbn can reject passwords of length 8 or longer if their score is not at least 3. Fewer rejections happen with passwords of length 10. What about increasing the suggested length to 10? The phrasing can emphasize that it's a recommendation and that a password can still be rejected.
Most helpful comment
Haowei i think this could be a nice easy bug in the text we show front-end users.
@laemtl can you guide him through the process?
First steps in looking into this bug will include:
Then : issue a Pull Request (PR) to the main branch with these changes, and ask @laemtl to Review and also Test your changes.