Is there a way to make the password requirements more simple?

Is there a way to make the password requirements more simple? It requires like 15 digits? thats tooo many! like 6 should be enough imho for my site.

1 Like

15 is for admins, 10 is the default for regular users. Both are configurable in the Admin > Settings area, search for password

9 Likes

Whoops found it under Admin>Settings>Users. Should I delete this question? Sorry I had searched but didn’t see it.

If your site will be connected to the internet, then 6 characters is almost certainly not enough. If it requires registration,so crackers do not know usernames, that could reduce the need for complexity, but, it’s still not a good idea.

See, for example

https://blog.codinghorror.com/your-password-is-too-damn-short/

2 Likes

curses! Ill put the default back. But doesnt gmail even allow “aaaaaaaa”?
Gmail Password Requirements

1 Like

If you want easy login and sign in, set up social logins, users can authenticate with Facebook, Google, Twitter, etc.

No password is better than a bad password :smile:

6 Likes

Well, if you couldn’t find it among all the settings, someone else won’t either.

Also, the discussion about password complexity is likely important for others as well.

5 Likes

It’s good to have questions asked and answered here on meta.

Marking the best answer as the Solution would also be helpful.

3 Likes

There is also a “common password” Setting.

For example, on my localhost development Discourse I have that disabled so I can use “password” as a password and not need to remember a mess of different passwords for the test accounts.

But IMHO on a real live site it would be a poor idea to allow “password”, “admin”, “aaaaaaaa” etc.

If you look in /lib/10-char-common-passwords.txt there is a list of 2344 such passwords.

1 Like

Despite all of the evidence presented that passwords need to be long, I’m still often annoyed by the 10 character limit (especially on mobile, where typing 10 characters into a password box is a bit of a chore).

SSO seems like a good option; I wonder if the ‘Sign in via email’ pattern that slack uses might be useful as well?

  • Click ‘send me an email to sign in’
  • I get an email with an expiring (5 minutes?) link in it
  • If I click on that link, it logs me in and takes me to the front page.
5 Likes

You are not me. I don’t go all xkcd with the horse and the staple and whatever, but I do find multi word passwordsphrases work very well for me. Often they are word game things for me, rather than common phrases, related to the site or something at hand when creating it. For a cooking website, I might think of Joy of Cooking and use “boy.of.Looking”. It annoys me when there are requirements other than length, because that can interfere with my method.

1 Like

Yes, but this is already possible with “forgot password”.

I feel this pain sometimes, even with a password manager (which 99% of users do not have)

I would like to get around to adding a “1 time login token” for mobile.

  • Click button
  • We send email with 1 time login token
  • User is logged on, on mobile

LOL, just realised you posted the same thing @gdpelican so yeah … I want this at some point :slight_smile:

6 Likes

not really, it burns your password, so that sucks.

1 Like

Not really, just press a bunch of keys on your keyboard to “generate” a new one. :wink:

I do this on a few sites…

You get a new auth token though, so all the other places you are logged into are now logged out :frowning:

Plus, you need to synchronize the password manager again.

1 Like

True, we have “safe” login mode set by default, so that would invalidate all logins across all sites.

My password manager is my browser, so it auto-syncs with no effort from me.

Ok, this is now shipping cc @gdpelican

image

I don’t see it triggering here on meta though, is it incompatible with social logins or something?

2 Likes

We did not have enable_local_logins_via_email enabled, I just turned it on here. Feature is off by default.

Note, mobile is still only partially solved cause it does not work with the app yet but @joffreyjaffeux and me have a plan here.

7 Likes

This topic was automatically closed after 2850 days. New replies are no longer allowed.