Disable special characters in passwords

  • Hello,

    I have a site where users can register and then I use the credentials to log them in from a third-party app via REST API. Unfortunately, the same password that works on the front end, if it contains special characters like * or @, doesn’t work in the backend via the REST API.

    My question is, how can I disallow the usage of special characters in passwords?

    I saw the option of the “registration_errors” filter, but it seems to only be usable on usernames, and not passwords?

    Any help is appreciated.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator bcworkz

    (@bcworkz)

    You can alter the suggested password through the ‘random_password’ filter. Perform some sort of search and replace to remove any special chars and replace with random alphanumeric chars. To maintain adequate password strength without special chars, the suggested password may need to be longer.

    To enforce no special chars when a user enters their own password, I suggest doing so client side via JavaScript. I believe the correct action from which to enqueue your script would be “login_enqueue_script”, but haven’t verified specifically for the password setting screen.

    Since JS can be disabled and a user could then submit a password with special chars, you could back up enforcement server side through the “reset_password” action. About all you can do if there are special chars present is call wp_die(). Crude but effective. You might decide to forego this measure since anyone who disables JS has to expect things to not always go right.

    All that said, it sounds like you’re maintaining a plain text password for later use in making API calls. I’m not a security expert, but that sounds like a security weakness and a poor solution. To utilize the API using the user’s authority while not restricting their main WP password, there are several authentication methods available. The recently introduced applications password would be a good option.

    Thread Starter LBandy

    (@lbandy)

    Thank you for the suggestions, I’ll look around and see how I could apply them.

    Concerning the plaim text assumption, the way my software works is users can purchase specific content at the website associated with their wordpress accounts, and then they can type their wordpress credentials into the login screen in the software to get access to their purchased content. I then forward the encoded password to the backend where the password gets decoded and tested by wordpress’ login function – where it fails when special characters are present, even though they are accepted when logging in at the site. Having this functionality working would also be sweet, so no workarounds would be necessary.

    Moderator bcworkz

    (@bcworkz)

    WP is rejecting its own user passwords passed from elsewhere? That sounds like an encoding/escaping issue external to WP.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Disable special characters in passwords’ is closed to new replies.