Dirty Butter Posted February 24, 2015 Share Posted February 24, 2015 When an existing customer with a short password tries to login, they get a message to "Please enter at least a 6 character password". So now the existing customer can't login. Any way around this? Quote Link to comment Share on other sites More sharing options...
bsmither Posted February 24, 2015 Share Posted February 24, 2015 Without changing any code, instruct the customer (if feasible, or use the language editor to change the phrase) to use the "Forgot Password" feature. That will give the customer a path to changing the password to accommodate this restriction (which I was not aware of). Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted February 24, 2015 Share Posted February 24, 2015 I don't think a min char length should be imposed on the login page...https://github.com/cubecart/v6/issues/274 Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted February 24, 2015 Share Posted February 24, 2015 Hi Al I completely disagree ! We should be trying to encourage users to use strong unique passwords on all sites they access by using simple and FREE tools like LastPass and by using enforcing 2 Factor Aurhentication. Even 6 characters is trivial for password cracking software to find (probably a few seconds or less). In this case, a better message for returning customers would help and six characters is better than none but removing it is a big backward step Ian Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted February 24, 2015 Share Posted February 24, 2015 On registration yes. On login it shouldn't have this validation. Hmm unless we do want them to force a new password.... I think I agree actually. It needs to force stronger passwords.. Quote Link to comment Share on other sites More sharing options...
ayz1 Posted February 24, 2015 Share Posted February 24, 2015 Not good if an existing customer can't log in with their original password. Very frustrating from their point of view. I'm looking to upgrade a V3 store and this would put me off. We have too many customers in our database to be having to deal with this. Surely there is a way to allow exisiting customers to log in without having to reset their password? New customers can be encouraged to use a stronger password. Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted February 24, 2015 Share Posted February 24, 2015 This is one of those "can't win either way" ones. It only takes a minute to request a new password. It would be interesting to know how many customers has a password of less than 6 chars. Security vs Convenience So would a compromise be to remove the enforcement and add a message saying that your password is weak and we strongly suggest changing it after login? Not good if an existing customer can't log in with their original password. Very frustrating from their point of view. I'm looking to upgrade a V3 store and this would put me off. We have too many customers in our database to be having to deal with this. Surely there is a way to allow exisiting customers to log in without having to reset their password? New customers can be encouraged to use a stronger password. I think you missed the point. They can of course login with their existing password if its 6 characters or more. Most websites enforce this as a minimal limit. Most customers use the same passwords on many sites. I think we are are guilty of this. For this reason this should only affect a small percentage. One thing to take into account here is that *if* your store required PCI accreditation this kind of security feature is required to pass acceptance! I think the best solution is to redirect them to the password reset page to update their password if it is weak after login. Quote Link to comment Share on other sites More sharing options...
ayz1 Posted February 24, 2015 Share Posted February 24, 2015 Don't think I missed the point. If someone has a short password they should still be able to access their account in my opinion. Allowing them to log in and then deal with it in the way you suggest by directing them to the password reset page after they have logged in would be a better experience for the customer provided it is made clear why they are being asked to update their password. Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted February 24, 2015 Share Posted February 24, 2015 Don't think I missed the point. If someone has a short password they should still be able to access their account in my opinion. Allowing them to log in and then deal with it in the way you suggest by directing them to the password reset page after they have logged in would be a better experience for the customer provided it is made clear why they are being asked to update their password. Sorry your response sounded like every login. So what's the solution? 1. Allow login and recommend password update? (low security) 2. Allow login and FORCE password update? (mid security) 3. Force password reset prior to login? (most security) 4. Just allow login as before. (least security) .. and no I don't think there should be a setting for this. Quote Link to comment Share on other sites More sharing options...
ayz1 Posted February 24, 2015 Share Posted February 24, 2015 2. Allow login and FORCE password update provided it is made clear why they are being asked to update their password. Leaving it to the customer to request a new password can be an issue because it is sometimes confusing, especially for foreign speaking customers and sometimes they don't recieve the new password email. I appreciate the percentage using a short password may be small but when there are a lot of registered customers there maybe be quite a few. Just my opinion but I'm trying to look at it from the customers point of view. Quote Link to comment Share on other sites More sharing options...
Al Brookbanks Posted February 24, 2015 Share Posted February 24, 2015 I think I'm with you there about #2. I'll leave this open for other feedback and get changes made this week. Thanks for taking the time to share your thoughts. Much appreciated. Quote Link to comment Share on other sites More sharing options...
havenswift-hosting Posted February 24, 2015 Share Posted February 24, 2015 HiThe point about PCI compliance is very valid and one that more people should be concerned about although in our experience a very large majority of CubeCart customers still dont undertake any PCI compliance.Option 2 is an OK solution as long as they are forced to change the password to a longer (minimum of 8 characters should really be enforced) more secure (upper case, lower case, numerals and special characters and maybe include a password strength meter) one immediately after logging in and they are unable to do anything else until that step is completed.Ian Quote Link to comment Share on other sites More sharing options...
Dirty Butter Posted February 24, 2015 Author Share Posted February 24, 2015 I think that Option 2 is better than expecting the Forgot Password process. After all, they have an ORDER sitting in the basket at this point. We need to make this as easy as possible, or that ORDER will be LOST. Is there any way to tell from cpanel how many customers this actually applies to? Quote Link to comment Share on other sites More sharing options...
bsmither Posted February 24, 2015 Share Posted February 24, 2015 The password is sufficiently one-way hashed that (currently) deducing any characteristic about the original password is impossible. Quote Link to comment Share on other sites More sharing options...
Dirty Butter Posted February 24, 2015 Author Share Posted February 24, 2015 That what I thought, but was hoping there was some way to determine length and email affected customers and fix the issue that way. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.