Password generator not following minimum password length or strength

Discussion in 'ISPConfig 3 Priority Support' started by felan, May 8, 2014.

  1. felan

    felan Member HowtoForge Supporter

    ISPConfig 3.0.5.4p1, Debian Squeeze (6.0.9)

    I have set our password strength to strong and password length to 8, but the password generator for DB, FTP and other still suggests passwords under strength and below 8 characters. Is this a bug in ISPConfig and/or something I can fix myself?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Click on reload in your browser to reload the ispconfig interface. the password generator is a javascript program, your browser has cached the old strength settings.
     
  3. felan

    felan Member HowtoForge Supporter

    Hi and thanks for the fast reply.

    Yes the password length is now up where it should be, but password strength is still not where it should be, suggesting 'Good' when I specified 'Strong'.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, your right. sometimes there is a password with just good strength. I've added this to the bugtracker.
     
  5. wokka

    wokka New Member HowtoForge Supporter

    I've run across this issue as well. Is there a way to modify what the password generator will generate? Can we specify that it should include at least 2 special characters as well?

    Thanks!
     
  6. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    It will be improved in 3.0.5.4 patch2 (already in git stable).
     
  7. bundfeg

    bundfeg New Member HowtoForge Supporter

    Hi, I'm using 3.0.5.4p5 and just tested the password-recovery.
    The minimum password length is set to 12 and the strenght to very strong. But the password in the reset-e-mail is just 8 letters. Can you reproduce that?
    Is there a quick way to fix this?
     
  8. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Thanks for the report. There is no quick fix yet, but we'll try to create a patch during the next days.
     
  9. bundfeg

    bundfeg New Member HowtoForge Supporter

    We had a nice idea as workaround. We concat three of these 8-letter passwords, send these by mail, and so it's very likely that the customer will change the password afterwards. And then he gets the right strength and lenght.
    Since it's also not perfect to send passwords by mail, it's a nice way of "forcing" the customer to change the password by himself.
     
  10. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    You can try the attached patch, but please make a backup of the interface/lib/classes/auth.inc.php and interface/web/login/password_reset.php before applying it.
    You can apply by:
    Code:
    cd /usr/local/ispconfig
    patch -p0 < /path/to/downloaded_patch/lostpw_patch.txt
    Use at your own risk, as it is an unreleased patch.
     

    Attached Files:

    till likes this.
  11. bundfeg

    bundfeg New Member HowtoForge Supporter

Share This Page