What are password requirements / restrictions on Wilders forum?

Discussion in 'Forum Related Discussions' started by phkhgh, Dec 21, 2019.

  1. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    182
    I searched for posts or stickies on this. When I go to "change PW" page, there's no info on min / max length, if all special chars are allowed.
    If only certain sp. chars, which ones?

    I know some sp. chars are allowed, from my current one. But that was a long time ago.
    Thanks.
     
  2. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    41,780
    Location:
    U.S.A.
    phkhgh, Wilders is using XenForo's version 1.5 software, and the below XenForo link explains their password policy in regards to our version:

    https://xenforo.com/community/threa...um-password-requirements.131363/#post-1161236
    Wilders might upgrade to XenForo's version 2.0 sometime in the future. As far as we can tell, XenForo's only change, regarding passwords in their newest version, is the addition of a Password Strength Meter. Because we do need to test all aspects of the new version before deployment, there's no decision as to when that will happen.

    Hope this answers your questions.
    JR
     
  3. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    182
    Thanks JRViejo. I read most of the thread you linked & searched for other PW related docs or posts. Didn't find much, but as you said, doesn't seem to be any documented restrictions.
    But it looked like sites using their software can set min / max length, excluded words or ? characters - in what they showed as a blacklist entry.

    I'd suggest doing like lots of sites - either have tooltips or text appear on the registration and PW reset page, giving their requirements.
    Or at least show dialog, "All upper / lower standard keyboard alpha; digits 0 - 9; all keyboard special characters." Some sites or apps allow ascii chars, which really increases the number of possibilities.

    I'm sure it might reject a 100+ character pw. I just reset mine & allowed the generator to use any sp. char. on standard keyboard. Logged back in OK.
    Of course, it didn't use all sp. chars in one PW, so something could throw it for a loop.

    For reasons unknown, support at sites couldn't explain - banks, computer forums, etc., - why they only allowed certain sp. chars or none at all.
    Can't imagine a 3rd party login app limiting sp. chars to 2 or 4 out of about 32, but lot of sites do just that.
     
  4. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    41,780
    Location:
    U.S.A.
    phkhgh, you're welcome! For now, even if a member uses a 3 character password login, the XenForo software adds an individual salted bcrypt hash to it to protect against brute-force attacks. This is a sample user password hash: $2a$10$njmtGDvN4bi9OkGAJWJgveETYFiJc1XrI/oBUe2fIXFRzk2CbziQS. No one is going to get a password out of that. We'll take your suggestion into consideration if Wilders forum software moves to version 2.0. Take care.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.