TYPO3 Core

Wouter Wolters wrote:

Hi, if I'm right this is not about the core but about an 3rd party extension. The core does not check the length of the password at all. This is up the extension author to implement. Am I right?

Hi

if you set up the login page (with the username and password to fill out) as a CE with the build-in feuser extension from the TYPO3 CMS there is a checkbox in this settings for "retrieve lost password" for the user. If now you fill out the form with your e-mail address you get a mail with the link to the loginpage again (that comes from the feuser extension from the core of the TYPO3 CMS) for changing your password. This form has NO settings to force the user to set up a really secure password containing numbers, letters (maybe upper and/or lowercase) and/or special characters.

Hi,
When reset password (Forgot Password link), felogin allows to take password like "12345678". This is very unsafe! It should also be able to adjust to use numbers, letters and/or special characters. I hope, this vulnerability can be fixed as soon as possible!

just to clarify things: there is absolutly no vulnurability in the form. the password itself might be weak but it is still saved hased and if EXT:rsaauth is used, also transferred secure!

feel free to improve your integration by e.g. using https://css-tricks.com/password-strength-meter!

Hi,
A safe data transfer is not making secure a weak password. A system is unsafe, as long as a password like "12345678" is approved by the EXT:felogin.

absolutly true. it would be great to have a password strength check everywhere where a password is set!

Hello

It would be a good starting point to just have a hook that allow integrator to implement any password strength validator [1].
Actually, a hook exists, but just for the password hashing mecanism (used by ext:saltedpasswords).

If the core team are OK, I can push some code to start working on this.

[1] A password strength library by Dropbox: https://github.com/dropbox/zxcvbn

Hi,
A Workaround to make a secure password validation in EXT:felogin. The disadvantage is that it is overwritten with the core update!

ext_localconf.php (2 adjustments)
Line 57: Set newPasswordMinLength to 8 or a higher value (instead of 6)
After line 141 insert this new line for a new message:
changePasswordMissingCharsMessage_stdWrap < .welcomeMessage_stdWrap

Classes/Controller/FrontendLoginController.php (2 adjustments)
Line 308: $minLength = (int)$this->conf['newPasswordMinLength'] ?: 8; (or a higher value, instead of 6)
After line 347 insert this new lines for the the new validation of missing chars:
} elseif (preg_match("#^[a-zA-Z0-9]+$#",$postData['password1'])) {
$markerArray['###STATUS_MESSAGE###'] = sprintf($this->getDisplayText(
'change_password_missingchars_message',
$this->conf['changePasswordMissingCharsMessage_stdWrap.']),
$minLength
);

Ressources/Private/Language/locallang.xlf (1 adjustment)
After line 79 insert this new lines for the the new message:
<trans-unit id="ll_change_password_missingchars_message">
<source>The password is not secure. Please enter your new password twice. Password needs a minimum length of %s chars and at least letters, numbers and special characters.</source>
</trans-unit>

typo3conf/l10n/de/felogin/Ressources/Private/Language/de.locallang.xlf (or path to file of any other languages with the corresponding translation)
After line 41 insert this new lines for the the translation of the new message (e.g. in german file):
<trans-unit id="ll_change_password_missingchars_message" approved="yes">
<source>The password is not secure! Please enter your new password twice. Password needs a minimum length of %s chars and at least letters, numbers and special characters.</source>
<target state="translated">Das Passwort ist nicht sicher! Das neue Passwort bitte zweimal eingeben. Es ist eine Mindestlänge von %s Zeichen erforderlich und es muss aus Buchstaben, Zahlen und Sonderzeichen bestehen.</target>
</trans-unit>