Password rules (v2023)

philmills · Post by **philmills** » Thu May 02, 2024 6:24 pm

I just discovered that my project is not applying password rules fully.

In Advanced settings I have the following settings:
Minimum Password strength: 60
Password length: 16
Use password hash: no
Encrypt usernames and passwords: no

My project uses Advanced Security with dynamic user levels.
In User Login Options i have the following settings:
Hashed password: no
Case-sensitive password: yes
Enable password expiry: yes
Password expiry time (days): 180

As far as i can tell:

Password expiry is working and passwords seem to be stored in MD5 format.
Password length rule is not being applied
Password strength is not being checked - I was able to set new passsword as 1234567

From that I would guess that password rules defined in advanced settings are ignored, while those in Advanced Security > User Login Options are being applied.

Is this normal behaviour?
I find it a little confusing that there are two sets of password settings, and I'm unsure which set takes precident over the other.

Also I would like to apply username and password encryption, but in my project the username field is also the email address field, so I'm unsure what the domino effect of that might be as I'm using the email field for sending notifications. One option would be to simply duplicate the email address field to a new username field, then allow users to set their own usernames later. Anyway, some clarity on possible problems with my current structure would be helpful.

v2023

mobhar · Post by **mobhar** » Thu May 02, 2024 7:31 pm

It seems you missed this option from Fields setup -> Edit Tag pane: Check password strength for the Password field.

In order to check the password strength that suits your setting from Advanced Settings, then you need to enable it, and then re-generate ALL the script files again.

philmills · Post by **philmills** » Fri May 03, 2024 2:54 pm

Thanks :)
I had this setting turned on, but at some point accidentally turned it off

philmills · Post by **philmills** » Mon May 06, 2024 8:25 pm

philmills wrote:

Also I would like to apply username and password encryption, but in my project the username field is also the email address field, so I'm unsure what the domino effect of that might be as I'm using the email field for sending notifications. One option would be to simply duplicate the email address field to a new username field, then allow users to set their own usernames later. Anyway, some clarity on possible problems with my current structure would be helpful.

Is anyone able to answer this question?:
If I turn on Advanced Settings > Encrypt user names and passwords, what might the possible negative impacts be, bearing in mind the username is also the email address in my project?

arbei · Post by **arbei** » Mon May 06, 2024 9:21 pm

No, you cannot encrypt the username field.

philmills · Post by **philmills** » Wed May 15, 2024 3:06 am

ok thanks!