I searched for posts or stickies on this. When I go to "change PW" page, there's no info on min / max length, if all special chars are allowed. If only certain sp. chars, which ones? I know some sp. chars are allowed, from my current one. But that was a long time ago. Thanks.
phkhgh, Wilders is using XenForo's version 1.5 software, and the below XenForo link explains their password policy in regards to our version: https://xenforo.com/community/threa...um-password-requirements.131363/#post-1161236 Wilders might upgrade to XenForo's version 2.0 sometime in the future. As far as we can tell, XenForo's only change, regarding passwords in their newest version, is the addition of a Password Strength Meter. Because we do need to test all aspects of the new version before deployment, there's no decision as to when that will happen. Hope this answers your questions. JR
Thanks JRViejo. I read most of the thread you linked & searched for other PW related docs or posts. Didn't find much, but as you said, doesn't seem to be any documented restrictions. But it looked like sites using their software can set min / max length, excluded words or ? characters - in what they showed as a blacklist entry. I'd suggest doing like lots of sites - either have tooltips or text appear on the registration and PW reset page, giving their requirements. Or at least show dialog, "All upper / lower standard keyboard alpha; digits 0 - 9; all keyboard special characters." Some sites or apps allow ascii chars, which really increases the number of possibilities. I'm sure it might reject a 100+ character pw. I just reset mine & allowed the generator to use any sp. char. on standard keyboard. Logged back in OK. Of course, it didn't use all sp. chars in one PW, so something could throw it for a loop. For reasons unknown, support at sites couldn't explain - banks, computer forums, etc., - why they only allowed certain sp. chars or none at all. Can't imagine a 3rd party login app limiting sp. chars to 2 or 4 out of about 32, but lot of sites do just that.
phkhgh, you're welcome! For now, even if a member uses a 3 character password login, the XenForo software adds an individual salted bcrypt hash to it to protect against brute-force attacks. This is a sample user password hash: $2a$10$njmtGDvN4bi9OkGAJWJgveETYFiJc1XrI/oBUe2fIXFRzk2CbziQS. No one is going to get a password out of that. We'll take your suggestion into consideration if Wilders forum software moves to version 2.0. Take care.