Feature #14711: Issue a warning when a BE user has a weak password (e.g. the same as the username) - TYPO3 Core - TYPO3 Forge

Custom queries

Accessibility
Easy tasks
Forge Triage
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
My open issues
No feedback within 90 days
Open Bugs
Open issues of 10
Recently modified
Regressions
Stabilization Issues
Usability or UX

Watchers (2)

Michael Stucki
Rupert Germann

Actions

Copy link

Feature #14711

closed

Issue a warning when a BE user has a weak password (e.g. the same as the username)

Added by Martin Kutschker over 19 years ago. Updated almost 10 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

Target version:

Start date:

2005-04-29

Due date:

% Done:

Estimated time:

PHP Version:

4.3

Tags:

Complexity:

Sprint Focus:

Description

Annoy user with a warning so that she changes it to something different than the login.

Make it big and red like the warnings for install pwd, syskey and admin password.

(issue imported from #M1047)

Files

2005-05-03_bugfix_1047.patch (1.86 KB) 2005-05-03_bugfix_1047.patch

Administrator Admin, 2005-05-03 17:28

Related issues 2 (0 open — 2 closed)

Related to TYPO3 Core - Feature #14682: [FR] mysql access using "root" w/o password warning?

Closed

Michael Stucki

2005-04-18

Actions

Is duplicate of TYPO3 Core - Feature #21659: Introduce Password Policies

Closed

2009-11-24

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Sebastian Kurfuerst over 19 years ago

It would make sense to introduce some other checks as well, an integration with cracklib could be done, too. I think the core should provide maybe just checking if user/pass are identical, and everything else should be provided by an extension - so a hook might be needed there, if we can't use process_datamap-hooks.

Actions

Copy link

Updated by Martin Kutschker over 19 years ago

The password check can be done at login time as you simply throw the login into the password-hashing function. If it's identical to the current password hash, then login and password are identical.

Using cracklib, etc makes only sense at the time you set the password. This is alos fine, but covers something different. This is about a warning that works like mentioned security warnings, ie at logon time.

If you want password checking at password change time please file a new bug.

Actions

Copy link

Updated by Sebastian Kurfuerst over 19 years ago

The attached patch implements the wanted behavior. Please test if it works.
What do others think, should this become part of the core?

Actions

Copy link

Updated by Ingo Renner over 19 years ago

should this become part of the core?

yes please!

Actions

Copy link

Updated by Michael Scharkow over 19 years ago

Although the issue is clear and the fix not so difficult, I'm not sure I agree to the general policy of issuing warnings for trivial passwords. What about warnings if the password is qwertz or 12345, etc.? Is it really our issue to educate users about choosing the right password?
I'd clearly vote for a hook-only solution...

Actions

Copy link

Updated by Ingo Renner over 19 years ago

a hook could be an additional nice to have feature, but I think we should at least urge the users to change their password to something different then the default or the password == username case

Actions

Copy link

Updated by Karsten Dambekalns over 19 years ago

Adding more and more checks should be avoided. If we have too many wanrings, people tend to ignore them. And having weak passwords is something that probably should be "educated away" from the users in a different way.

The existing checks deal with default passwords that are shipped with TYPO3, any self-chosen, weak password isn't. So this is not our business, strictly spoken.

For those cases a hook to integrate e.g. cracklib is better.

Actions

Copy link