“Strong Password Enforcement” setting causing PW reset/user creation issues

  • Rachel

    (@jaxrachel)


    8 years ago

    When I turn on the Strong Password Enforcement setting, and try to create a new user, WordPress tells me the password is “strong” but it won’t let me save, giving me the error “Due to site rules, a strong password is required. Please choose a new password that rates as Strong on the meter. The user has not been created.” When I turn off your plugin’s Strong Password Enforcement setting, the system lets me save my “strong” password user. Your setting says it is “…as rated by the WordPress password meter.” However, there is clearly something different between your version of “strong” and wordpress’s password meter version of “strong” and it is super confusing when the system says my password is strong, but won’t let me save it.

Viewing 9 replies - 1 through 9 (of 9 total)
  • pronl

    (@pronl)

    There have been 2 fixes and 1 enhancement to the Strong Password Enforcement feature in the latest 5.7.1 release. According to the 5.7.1 Changelog:

    Bug Fix: Improved how Strong Password Enforcement works on password resets to improve compatibility with various plugins.
    Bug Fix: Improved the logic for determining whether a user should have Strong Password Enforcement applied. This covers situations where the user may have a custom role, a customized default role, or added capabilities beyond their role.
    Enhancement: Strong Password Enforcement now uses a PHP port of zxcvbn to ensure that a strong password was selected.

    I think it is the enhancement to the Strong Password Enforcement feature that is causing your issue.

    As a workaround you could deactivate and then delete the 5.7.1 plugin release. Then reinstall the older 5.7.0 plugin release. Or simply disable the Strong Password Enforcement feature in the 5.7.1 release.

    If you are interested in how zxcvbn exactly contributes to stronger passwords read this.

    Thread Starter Rachel

    (@jaxrachel)

    Thanks pronl for the info. I would still like to see this fixed in a future release.

    @jaxrachel

    I think I’ve found where the bug is and how to fix it.
    It’s a very simple fix. Does need a change in the code which means the fix
    will be undone when updating the plugin.

    • This reply was modified 7 years, 11 months ago by pronl.

    Same problem for me. Moreover, iTheme doesn’t respect the min. role for enforcement : I set it to “contributor” and but it’s active for “Subscriber”.
    Thanks.

    @alysko

    Moreover, iTheme doesn’t respect the min. role for enforcement : I set it to “contributor” and but it’s active for “Subscriber”.

    What action are you performing when observing this behavior:

    1. Updating profile of an existing (subscriber) user (within WordPress Dashboard).
    2. Creating a new (subscriber) user (within WordPress Dashboard).
    3. Resetting password for an existing (subscriber) user (following the Lost your password? link on the login page).

    • This reply was modified 7 years, 9 months ago by pronl.

    Answer 2

    This is still an issue in 6.2.1

    Any word on when this will be fixed?

    Same issue here in 6.2.1
    Can’t reset password because it keeps saying it is not strong. Mine happens on scenario 3 – resetting password for existing user. Have not tested the other scenarios.

    @kate515

    … and this is happening while using WordPress 4.8 ?

    The reason why I ask is because WordPress 4.8 includes an updated zxcvbn library for the strong password meter (1.0 to version 4.4.1).

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘“Strong Password Enforcement” setting causing PW reset/user creation issues’ is closed to new replies.