Type in your suggestion - new feature or improvement idea

Enforce stronger member passwords

When a password is generated by the application, it seems quite secure. However, when people change their passwords, they usually don't make them as secure as they should be. Is there a way to reject a new password if it isn't secure? Or provide a "meter" that shows just how secure their new password really is so that they can reevaluate their choice? I know of some Javascript coding for this purpose (http://javascript.internet.com/passwords ), but I'm not sure if it's possible to use any of it in a CMS environment like yours.

Thank you for your attention!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
scottishlass
"You can't! It's impossible! I'm far too busy, so ask me now before I can become sane." - Edna "E" Mode

9 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)

    We’ll send you updates on this idea

    scottishlassscottishlass shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    11 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Trenton ColbertTrenton Colbert commented  ·   ·  Flag as inappropriate

        +1 whats the point of protecting shared data like a directory if one person's password can bring the whole thing out in the open

      • MariaMaria commented  ·   ·  Flag as inappropriate

        I am currently evaluating the product and have been happy with everything I've seen except passwords. I can't seem to find anything about forcing stronger passwords except this thread. Since this is not a feature that is currently available, does anyone have any recommendations about what I can do to force members to create stronger passwords? Tech Support sent me your way.

      • Anonymous commented  ·   ·  Flag as inappropriate

        I would like there to be other features related to password security as well. For example, security questions. Right now, from what I understand, if a member forgets password s/he simply requests a new one. Then they get an emailed link to reset. Well if someone hacks into their email, they can easily reset their wa password. Please strengthen password security through either security questions or a setting that requires admin. resets.

      • brianfilmsbrianfilms commented  ·   ·  Flag as inappropriate

        My comment/reply is YES, this is needed and important. ASAP!

        Admin can set password policy, system changes places, and to many attempts triggers a system block.

        Also, if possible, restrictions by geographic region could be a huge plus. If I have no members in Russia, it would be great to disable that region.

        You can look at Amazon Web Services as a great example of password policy.

      • DennisDennis commented  ·   ·  Flag as inappropriate

        I'm casting my vote for this feature - and just as Apricot Kernel described it. I would prioritize it as...
        * allow admin enable/disable password strength setting (to a default strength)
        * admin can set password strength (maybe just 5 preset settings, with none being the least)
        * lockout for 10+ failed login attempts

        In all cases, enforce only for new contacts or password changes. Don't affect existing users.

      • RobbiRobbi commented  ·   ·  Flag as inappropriate

        I agree. The solutions above sound perfect.

        It is fairly standard now to have at least a basic password enforcement protocol. I would expect no less for our membership data.

      • Evgeny aka Apricot KernelAdminEvgeny aka Apricot Kernel (Product Manager, Wild Apricot) commented  ·   ·  Flag as inappropriate

        Any comments or votes?

        As far as I can see, we are talking about the following:

        1) Site admin has a password policy page where he can define if he wants to control how strong password should be, how many attempts are allowed before blocking login in ability and where to send e-mail in this case. There is also an option to NOT force and restrictions for password (as it works now).

        2) If any restriction policy is defined, system changes all places where new password can be set and forces to comply new password to the site password policy

        3) If login block is defined (after a number of tries) and member failed this number of times, system blocks the members from further logins attempts and shows him corresponding message (that he needs to contact admin), sends email to member's email and copy to site admin

        Any comments?

      • Dmitry ButerinDmitry Buterin commented  ·   ·  Flag as inappropriate

        For now we do not have any of this. I will move this to the wishlist so that we can collect feedback and prioritize.

      • sabojosabojo commented  ·   ·  Flag as inappropriate

        Is there enforcement of minimum password length? I see no indication of this.

        I would expect that a minimum password length be enforced and preferably checked for common bad passwords (e.g. abc123 ). Configurable length would be nice, but a global minimum length of like 8 chars would help.

        Is there an automatic lockout for repeated failed login attempts? I can't tell, but if there is it would ease my mind. If so, after how many?

        Thanks

      • egerteregerter commented  ·   ·  Flag as inappropriate

        +1 please!

        I think this is a security risk. If your organization has 50 or more members, there is almost a 100% probability that someone manually set their password to one of the commonly known weak passwords (http://en.wikipedia.org/wiki/Password_strength ). Password strength should always be shown when manually changing your password and there should be an admin option to require strong passwords.

        If someone could sneak into the site via a member's weak password, they would have access to the Member Directory and all information at the "Anyone" or "Members" level. I would suggest limiting information at either of those levels by default; users can manually change their profile to allow more information to be seen in the directory.

      Feedback and Knowledge Base

      Wild Apricot Inc. 144 Front Street West Suite 725, Toronto, Ontario, Canada M5J 2L7