user.password.minimum

Permalink 1 user found helpful
Hello,
so with Concrete5 version 8.x where can I make changes to the "user.password.minimum" to enforce longer passwords?
Are there other password policies that can be configured now? for example upper case, lower case, numbers, special characters ?

I guess it has to go somewhere in the Application directory so it doesn't get overwritten with the next update...

Thank you for your help!

 
core77 replied on at Permalink Reply
Copy this into /application/bootstrap/app.php

In line 9 (in the gist) you can change/add the rules.
colacat replied on at Permalink Reply
Thank you for your quick response!
I think the "copy this" code didn't come with the message ?...

I understand I have to override a class to make it work.
core77 replied on at Permalink Best Answer Reply
Sorry :-)

Here is the stuff you need:
https://gist.github.com/hissy/9cd16ec05b0c988a915167df6bd11ded...

In my installation I require small characters, big characters, a number and a special character:
['/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*\W).+$/']
colacat replied on at Permalink Reply
Awesome!
Definitely something I can work with now :)

Thank you.

One more thing though, where do I set the "password.minimal" again?
Company policy requires 15 characters, Concrete5's default is 4 characters.
colacat replied on at Permalink Reply
Never mind. I figured it out.
I can simply add it to the RegEx

['/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*\W).{15,}+$/']

Thank you again !!
mnakalay replied on at Permalink Reply
mnakalay
I am not sure how reliable it is to do it this way so if you want to do it directly in C5 config, open the file application\config\generated_overrides\concrete.php

If it doesn't exist, create it.

If it already exists, you will see inside it just return a multidimensional array.

Because C5 stores that minimum password length value in concrete.user.password.minimum it means in the file concrete.php and in 3 level arrays with keys user, password, and minimum

So you have this
<?php
return [
    'user' => [
        'password' => [
            'minimum' => 15,
        ],
    ],
];

Of course you might already find values there so for instance you might have
'version_installed' => '8.2.1',
    'version_db_installed' => '20170802000000',
    'misc' => [
        'login_redirect' => 'DESKTOP',
        'access_entity_updated' => 1520001107,
        'do_page_reindex_check' => false,
        'basic_thumbnailer_generation_strategy' => 'now',
        'latest_version' => '8.3.2',
    ],
    'debug' => [
        'detail' => 'debug',
        'display_errors' => true,
    ],
    'cache' => [
        'blocks' => true,


Sorry I often explain too much when I'm not sure of the code-understanding level of someone so please forgive the extra explanation if not needed.

Also, if you often have to play with settings like that I strongly suggest you buy the plugin HandyMan which allows you to do all that easily from your dashboard. You might even discover settings you had no idea existed :)

http://www.concrete5.org/marketplace/addons/handyman...
core77 replied on at Permalink Reply
Since /application/config/concrete.php is a generated file, I wouldn't touch it.
See the comment "DO NOT EDIT THIS FILE DIRECTLY".
ConcreteOwl replied on at Permalink Reply
ConcreteOwl
In that case create a concrete.php file in application/config and put your code in that file..
mnakalay replied on at Permalink Reply
mnakalay
@core77 I know it says that but that warning is only there to prevent users who don't know what they're doing to change manually something that was set through code.

The password minimum length, however, is not set anywhere through code and the value won't be deleted by C5 as it doesn't delete those concrete config values unless done through code which is not the case.

Having said so, @weyboat's suggestion should work.