[Plugin: Login Security Solution] Password length not being enforced

Hi James:

You’re talking about the randomly generated 12 character password that gets emailed to new users? That’s created by WP core. It’d be pretty hard for attackers to crack that.

How long do you have your minimum password length set to?

–Dan

Hi Dan,

I am talking about this, which sits under Password Policies – Length

‘How long must passwords be? Must be >= 10. Default: 10.’

I have set it to 15 but only a 7 character password is sent to new users?

James:

You have something overriding WordPress’ default behaviors. In WP 3.4.1, the new user generation process in wp-login.php asks wp_generate_password() for a 12 character password.

wp_generate_password() calls the random_password filter. I’d guess you either you have an outdated wp-login.php or you have a plugin with a random_password filter in it.

–Dan

Hi Dan,

Thanks for taking the time to let me know.

I do not think it is my wp-login file, so it must be a plugin. I just had a quick look through though and none of them seem like they would be related to this issue.

What do I need to look for exactly in the plugin files themselves?

Thanks for your help – it is much appreciated.

James:

If you’re on a Unix/Linux/BSD type box, do this:
grep -rE 'wp_generate_password|random_password' .

If you’re on a Windows box, use your preferred file content searching tool.

–Dan

Hi Dan,

I have done extensive searches across all of my plugins and the example you gave above cannot be found.

One of my plugins does find the following, but that is all.

if(!$password){
			$password = wp_generate_password( 12, true );

Could there be any other reason for this?

As it is, the following shows what new users receive via email.

Username: jkl
Password: b72fb2e

James:

Which plugin is that? And what’s in your wp-login.php?

Are you manually looking at each file to do this search? You really need to do an automated search to make sure EVERYTHING is checked.

–Dan

Hi Dan,

The plugin is called Your Members and controls access to pages and posts etc.

The wp-login.php file is the one that came with WP 3.4.1

I did a search through all files [all my plugins and my theme] so yes, EVERYTHING was checked.

I cannot think what may be causing it.

James:

I’m trying to help you. You’re not answering my questions. So let me be very specific. Please do the following.

* Log into the web server using SSH.
* cd into the directory containing your WordPress installation.
* Call the following command:
grep -rE 'wp_generate_password|random_password' .
* Paste the output here.

–Dan

Hi Dan,

Thank you for persisting with me – I am very thankful of your efforts and believe me, I am trying to get this sorted.

Anyway, it took me some time to work with my host to get Shell enabled and up and running.

Unfortunately though, I do not have any results to give you.

This is a copy of my attempts:

login as: *****
Authenticating with public key “***”
Passphrase for key “***”:
Last login: Tue Aug 28 21:45:51 2012 from cpc16-***-2-0-***.3-3.****.******.com
*****@my-domain [~]# cd /home/***/public_html
*****@my-domain [~/public_html]# grep -rE ‘wp_generate_password|random_password’

I let it sit like this until the network connection kicked out – which was quite some time, but as you can see, no results appeared.

Is there anything else I can try?

Hi James:

Thanks for the big effort. Having shell access will provide you long term benefits. The grep call hung because you left the period off the end of the command.

FYI, that part of the grep command tells grep where to search. . means look in the present directory. If no location is indicated, grep examines standard input, which you didn’t provide either, so grep just waited.

–Dan

Hi Dan,

I have the output now, but would rather I emailed it to you.

How can I get in touch with you please?

[email protected]

Hi James:

Thanks for the grep output. Nothing in particular pops out at me. What happens if you disable the Your Members plugin and then register a new user?

–Dan

Hi James & Daniel:

Just a sanity check here:

Does the 7 character password as received in the email actually work?

If it doesn’t perhaps the email output is being manipulated via a filter.
Or perhaps it is being changes and then the user record is being updated.

In terms of a recommendation:
1. Daniel is right disable the all plugins see if this changes the mail output of the password for a newly created user.
2. WordPress Core code comparison: Download a fresh copy of WordPress and complete a file comparison, perhaps a part of the core was not updated correctly or has been modified. If you are a Windows user consider using https://winmerge.org/ or even better Beyond Compare (30 day demo available).

Cheers,
Dean.