Type in your suggestion - new feature or improvement idea

Enforce stronger member passwords

When a password is generated by the application, it seems quite secure. However, when people change their passwords, they usually don't make them as secure as they should be. Is there a way to reject a new password if it isn't secure? Or provide a "meter" that shows just how secure their new password really is so that they can reevaluate their choice? I know of some Javascript coding for this purpose (http://javascript.internet.com/passwords ), but I'm not sure if it's possible to use any of it in a CMS environment like yours.

Thank you for your attention!

"You can't! It's impossible! I'm far too busy, so ask me now before I can become sane." - Edna "E" Mode

18 votes
Sign in
Sign in with: Facebook Google
Signed in as (Sign out)

We’ll send you updates on this idea

scottishlass shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


Sign in
Sign in with: Facebook Google
Signed in as (Sign out)
  • Cam commented  ·   ·  Flag as inappropriate

    Just wondering if there has been any progression on this?

    There are three issues:
    Passwords are being sent in cleartext in an email
    Generated passwords are not being forced to be changed on first login
    Passwords do not have any form of forced complexity other than 7 character length (I tested with the same character 7 times and it was accepted).

  • Jennifer commented  ·   ·  Flag as inappropriate

    1. If Wild Apricot is going to send passwords in emails, members must be forced to change on log in.
    2. Require stronger passwords! Longer or more complex.

    The password situation makes me a bit sick and I think a lot of members decline to share info on the site because the password log in is so weak. Every time I consider the state of passwords on Wild Apricot I consider leaving and finding a more secure solution for managing member data.

  • Trenton Colbert commented  ·   ·  Flag as inappropriate

    +1 whats the point of protecting shared data like a directory if one person's password can bring the whole thing out in the open

  • Maria commented  ·   ·  Flag as inappropriate

    I am currently evaluating the product and have been happy with everything I've seen except passwords. I can't seem to find anything about forcing stronger passwords except this thread. Since this is not a feature that is currently available, does anyone have any recommendations about what I can do to force members to create stronger passwords? Tech Support sent me your way.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I would like there to be other features related to password security as well. For example, security questions. Right now, from what I understand, if a member forgets password s/he simply requests a new one. Then they get an emailed link to reset. Well if someone hacks into their email, they can easily reset their wa password. Please strengthen password security through either security questions or a setting that requires admin. resets.

  • brianfilms commented  ·   ·  Flag as inappropriate

    My comment/reply is YES, this is needed and important. ASAP!

    Admin can set password policy, system changes places, and to many attempts triggers a system block.

    Also, if possible, restrictions by geographic region could be a huge plus. If I have no members in Russia, it would be great to disable that region.

    You can look at Amazon Web Services as a great example of password policy.

  • Dennis commented  ·   ·  Flag as inappropriate

    I'm casting my vote for this feature - and just as Apricot Kernel described it. I would prioritize it as...
    * allow admin enable/disable password strength setting (to a default strength)
    * admin can set password strength (maybe just 5 preset settings, with none being the least)
    * lockout for 10+ failed login attempts

    In all cases, enforce only for new contacts or password changes. Don't affect existing users.

  • Robbi commented  ·   ·  Flag as inappropriate

    I agree. The solutions above sound perfect.

    It is fairly standard now to have at least a basic password enforcement protocol. I would expect no less for our membership data.

  • Evgeny Zaritovskiy commented  ·   ·  Flag as inappropriate

    Any comments or votes?

    As far as I can see, we are talking about the following:

    1) Site admin has a password policy page where he can define if he wants to control how strong password should be, how many attempts are allowed before blocking login in ability and where to send e-mail in this case. There is also an option to NOT force and restrictions for password (as it works now).

    2) If any restriction policy is defined, system changes all places where new password can be set and forces to comply new password to the site password policy

    3) If login block is defined (after a number of tries) and member failed this number of times, system blocks the members from further logins attempts and shows him corresponding message (that he needs to contact admin), sends email to member's email and copy to site admin

    Any comments?

  • sabojo commented  ·   ·  Flag as inappropriate

    Is there enforcement of minimum password length? I see no indication of this.

    I would expect that a minimum password length be enforced and preferably checked for common bad passwords (e.g. abc123 ). Configurable length would be nice, but a global minimum length of like 8 chars would help.

    Is there an automatic lockout for repeated failed login attempts? I can't tell, but if there is it would ease my mind. If so, after how many?


  • egerter commented  ·   ·  Flag as inappropriate

    +1 please!

    I think this is a security risk. If your organization has 50 or more members, there is almost a 100% probability that someone manually set their password to one of the commonly known weak passwords (http://en.wikipedia.org/wiki/Password_strength ). Password strength should always be shown when manually changing your password and there should be an admin option to require strong passwords.

    If someone could sneak into the site via a member's weak password, they would have access to the Member Directory and all information at the "Anyone" or "Members" level. I would suggest limiting information at either of those levels by default; users can manually change their profile to allow more information to be seen in the directory.

Feedback and Knowledge Base