Is there a way to make the password requirements more simple?

(Donald Swofford) #1

Is there a way to make the password requirements more simple? It requires like 15 digits? thats tooo many! like 6 should be enough imho for my site.

(cpradio) #2

15 is for admins, 10 is the default for regular users. Both are configurable in the Admin > Settings area, search for password

(Donald Swofford) #3

Whoops found it under Admin>Settings>Users. Should I delete this question? Sorry I had searched but didn’t see it.

(Jay Pfaffman) #4

If your site will be connected to the internet, then 6 characters is almost certainly not enough. If it requires registration,so crackers do not know usernames, that could reduce the need for complexity, but, it’s still not a good idea.

See, for example

(Donald Swofford) #5

curses! Ill put the default back. But doesnt gmail even allow “aaaaaaaa”?
Gmail Password Requirements

(Rafael dos Santos Silva) #6

If you want easy login and sign in, set up social logins, users can authenticate with Facebook, Google, Twitter, etc.

No password is better than a bad password :smile:

(Jay Pfaffman) #7

Well, if you couldn’t find it among all the settings, someone else won’t either.

Also, the discussion about password complexity is likely important for others as well.

(Allen - Watchman Monitoring) #8

It’s good to have questions asked and answered here on meta.

Marking the best answer as the Solution would also be helpful.

(Mittineague) #9

There is also a “common password” Setting.

For example, on my localhost development Discourse I have that disabled so I can use “password” as a password and not need to remember a mess of different passwords for the test accounts.

But IMHO on a real live site it would be a poor idea to allow “password”, “admin”, “aaaaaaaa” etc.

If you look in /lib/10-char-common-passwords.txt there is a list of 2344 such passwords.

(James Kiesel) #10

Despite all of the evidence presented that passwords need to be long, I’m still often annoyed by the 10 character limit (especially on mobile, where typing 10 characters into a password box is a bit of a chore).

SSO seems like a good option; I wonder if the ‘Sign in via email’ pattern that slack uses might be useful as well?

  • Click ‘send me an email to sign in’
  • I get an email with an expiring (5 minutes?) link in it
  • If I click on that link, it logs me in and takes me to the front page.

Passwordless signin via email link
(Eli the Bearded) #11

You are not me. I don’t go all xkcd with the horse and the staple and whatever, but I do find multi word passwordsphrases work very well for me. Often they are word game things for me, rather than common phrases, related to the site or something at hand when creating it. For a cooking website, I might think of Joy of Cooking and use “boy.of.Looking”. It annoys me when there are requirements other than length, because that can interfere with my method.

(Jeff Atwood) #12

Yes, but this is already possible with “forgot password”.

(Sam Saffron) #13

I feel this pain sometimes, even with a password manager (which 99% of users do not have)

I would like to get around to adding a “1 time login token” for mobile.

  • Click button
  • We send email with 1 time login token
  • User is logged on, on mobile

LOL, just realised you posted the same thing @gdpelican so yeah … I want this at some point :slight_smile:

(Sam Saffron) #14

not really, it burns your password, so that sucks.

(Jeff Atwood) #15

Not really, just press a bunch of keys on your keyboard to “generate” a new one. :wink:

I do this on a few sites…

(Sam Saffron) #16

You get a new auth token though, so all the other places you are logged into are now logged out :frowning:

Plus, you need to synchronize the password manager again.

(Jeff Atwood) #17

True, we have “safe” login mode set by default, so that would invalidate all logins across all sites.

My password manager is my browser, so it auto-syncs with no effort from me.

(Jeff Atwood) #18

Ok, this is now shipping cc @gdpelican


I don’t see it triggering here on meta though, is it incompatible with social logins or something?

(Sam Saffron) #19

We did not have enable_local_logins_via_email enabled, I just turned it on here. Feature is off by default.

Note, mobile is still only partially solved cause it does not work with the app yet but @joffreyjaffeux and me have a plan here.