CMS Made Simple Forums

Hi,

I'd like to force front end users to have a special character, a number, and a capital letter, when they change their password.
(I mean, there: {FrontEndUsers form="changesettings"} )

What would you suggest?
- having some javascript check? Could be bypassed (should be ok though), but also js could be disabled on the client. (And first quick tests has my js code not being loaded)
- modifying the FEU module?
- other?

thanks, I'm a bit clueless on this one...!

I would use JS and feel it was very reliable for my target audience. I think right now, there are less than .25% of users that either use a browser that doesn't accept JS or have it disabled. Mostly bots.

I think it would be safe to use JS that sets up an input mask for your password field, and upon submit checks if a special char is used.

If for some reason, someone slips by that JS, maybe you can then do a PHP regex on their password when their profile page is viewed. For example, in the FEU user profile template, use some regex to check for a special char. If there is not one, display a message strongly urging them to fix their password.

Or additionally have a look at the Events Manager. FEU has some events on change of user. Maybe you can create the server-side check in a UDT. If password fails, disable account or notifyu admin or ...

Hey, I think a post has been lost, I repost

Thanks a lot for the answers

client side: javascript works ok.

server side: it's not an option to have a not secure password set, at any time. And also I don't think I can regex it once it's saved, since it's crypted.

There's the option of modifying the feu module api, when the user set his password.
Any other (and better :-) ideas?

Thanks!

You might consider sponsoring this feature in the module. Ask the module developer (Calguy1000/Robert) what it would cost to implement.

I think adding a regex check would not be an awful lot of work and others could profit too in the future.

velden wrote:You might consider sponsoring this feature in the module. Ask the module developer (Calguy1000/Robert) what it would cost to implement.

Agree 100%.

f34nc015 wrote:There's the option of modifying the feu module api, when the user set his password.

Never EVER! Unless you want to lose support from the developer/s...
In any case, if you have knowledge enough to hack the module API, you should be able to use the recommended way: an UDT linked to the OnUpdateUser event. This way there are no hacks involved.


Again, I agree with velden 100%!

velden wrote:You might consider sponsoring this feature in the module. Ask the module developer (Calguy1000/Robert) what it would cost to implement.

I asked, let's see what happens

Jo Morg wrote:an UDT linked to the OnUpdateUser event. This way there are no hacks involved.

Hum, but... Once I'm in this udt, there's no way to gain access to the uncrypted password of this user (hopefully?)
Or is there a way..?

Thanks

If the user object indeed is saved before the Event/UDT is called and as you do not get a handle to the original input (the plain password) I don't think it's possible to react properly.

By the way, the password is hashed (and salted) not encrypted. An encrypted password would be decryptable.

Thanks for the double clarification

First, thanks all of you for the precious help.

Second, my boss said: yes, ask Calguy1000.

Best,
f