Is there a way to make the password requirements more simple? It requires like 15 digits? thats tooo many! like 6 should be enough imho for my site.
15 is for admins, 10 is the default for regular users. Both are configurable in the Admin > Settings area, search for password
Whoops found it under Admin>Settings>Users. Should I delete this question? Sorry I had searched but didnât see it.
If your site will be connected to the internet, then 6 characters is almost certainly not enough. If it requires registration,so crackers do not know usernames, that could reduce the need for complexity, but, itâs still not a good idea.
See, for example
https://blog.codinghorror.com/your-password-is-too-damn-short/
curses! Ill put the default back. But doesnt gmail even allow âaaaaaaaaâ?
Gmail Password Requirements
If you want easy login and sign in, set up social logins, users can authenticate with Facebook, Google, Twitter, etc.
No password is better than a bad password
Well, if you couldnât find it among all the settings, someone else wonât either.
Also, the discussion about password complexity is likely important for others as well.
Itâs good to have questions asked and answered here on meta.
Marking the best answer as the Solution would also be helpful.
There is also a âcommon passwordâ Setting.
For example, on my localhost development Discourse I have that disabled so I can use âpasswordâ as a password and not need to remember a mess of different passwords for the test accounts.
But IMHO on a real live site it would be a poor idea to allow âpasswordâ, âadminâ, âaaaaaaaaâ etc.
If you look in /lib/10-char-common-passwords.txt there is a list of 2344 such passwords.
Despite all of the evidence presented that passwords need to be long, Iâm still often annoyed by the 10 character limit (especially on mobile, where typing 10 characters into a password box is a bit of a chore).
SSO seems like a good option; I wonder if the âSign in via emailâ pattern that slack uses might be useful as well?
- Click âsend me an email to sign inâ
- I get an email with an expiring (5 minutes?) link in it
- If I click on that link, it logs me in and takes me to the front page.
You are not me. I donât go all xkcd with the horse and the staple and whatever, but I do find multi word passwordsphrases work very well for me. Often they are word game things for me, rather than common phrases, related to the site or something at hand when creating it. For a cooking website, I might think of Joy of Cooking and use âboy.of.Lookingâ. It annoys me when there are requirements other than length, because that can interfere with my method.
Yes, but this is already possible with âforgot passwordâ.
I feel this pain sometimes, even with a password manager (which 99% of users do not have)
I would like to get around to adding a â1 time login tokenâ for mobile.
- Click button
- We send email with 1 time login token
- User is logged on, on mobile
LOL, just realised you posted the same thing @gdpelican so yeah ⌠I want this at some point
not really, it burns your password, so that sucks.
Not really, just press a bunch of keys on your keyboard to âgenerateâ a new one.
I do this on a few sitesâŚ
You get a new auth token though, so all the other places you are logged into are now logged out
Plus, you need to synchronize the password manager again.
True, we have âsafeâ login mode set by default, so that would invalidate all logins across all sites.
My password manager is my browser, so it auto-syncs with no effort from me.
Ok, this is now shipping cc @gdpelican
I donât see it triggering here on meta though, is it incompatible with social logins or something?
We did not have enable_local_logins_via_email
enabled, I just turned it on here. Feature is off by default.
Note, mobile is still only partially solved cause it does not work with the app yet but @joffreyjaffeux and me have a plan here.
This topic was automatically closed after 2850 days. New replies are no longer allowed.