I just discovered that my project is not applying password rules fully.
In Advanced settings I have the following settings:
Minimum Password strength: 60
Password length: 16
Use password hash: no
Encrypt usernames and passwords: no
My project uses Advanced Security with dynamic user levels.
In User Login Options i have the following settings:
Hashed password: no
Case-sensitive password: yes
Enable password expiry: yes
Password expiry time (days): 180
As far as i can tell:
- Password expiry is working and passwords seem to be stored in MD5 format.
- Password length rule is not being applied
- Password strength is not being checked - I was able to set new passsword as 1234567
From that I would guess that password rules defined in advanced settings are ignored, while those in Advanced Security > User Login Options are being applied.
Is this normal behaviour?
I find it a little confusing that there are two sets of password settings, and I'm unsure which set takes precident over the other.
Also I would like to apply username and password encryption, but in my project the username field is also the email address field, so I'm unsure what the domino effect of that might be as I'm using the email field for sending notifications. One option would be to simply duplicate the email address field to a new username field, then allow users to set their own usernames later. Anyway, some clarity on possible problems with my current structure would be helpful.
v2023