BuddyDev

Search

Force strong password when user change own password

  • Participant
    Level: Enlightened
    Posts: 88
    Torben Heikel Vinther on #42459

    Hi

    My head is almost exploding because I can’t figure how to solve a rather simple security problem. For some reason, it’s not mandatory in BuddyPress to use strong passwords when a user is changing his password on the user profile page. It shows the password meter but you can change the password to a single letter if you want!

    I have forced the use of strong passwords when a user registers, but it has no bearing on existing users! I have also looked at the function bp_settings_action_general() but it doesn’t check the password strength.

    So my question is: how do I force the user to use a strong password when updating his password on the user profile page?

    Thanks

  • Keymaster
    Level: Yogi
    (BuddyDev Team)
    Posts: 3115
    Ravi on #42465

    Hello Torben,

    Thank you for posting here. Please try the following filter used for validating the user password.

    
    bp_members_validate_user_password
    
    

    Let me know if it helps you or not.

    Regards
    Ravi

  • Participant
    Level: Enlightened
    Posts: 88
    Torben Heikel Vinther on #42466

    Hi Ravi

    Thank you for your answer. Unfortunately, the bp_members_validate_user_password function does only checks if the password is empty, and to make sure the password confirmation matches the password. It doesn’t check if the password is strong!

    I think it’s very strange that BuddyPress doesn’t follow all the settings in WordPress. It seems that BuddyPress use it’s own settings.

  • Keymaster
    Level: Yogi
    (BuddyDev Team)
    Posts: 3115
    Ravi on #42468

    Hello Torben,

    Please try the following code:

    
    
    /**
     * Validate password
     *
     * @param WP_Error $errors Error object.
     * @param string   $pass   Password.
     */
    add_filter( 'bp_members_validate_user_password', function ($errors, $pass ) {
    
    	if ( $errors->has_errors() ) {
    		return $errors;
    	}
    
    	$uppercase_exp    = '/[A-Z]/';
    	$lowercase_exp    = '/[a-z]/';
    	$special_char_exp = '/[!@#$%^&*()-_=+{};:,<.>]/';
    	$numeric_exp      = '/[0-9]/';
    
    	if ( preg_match_all( $uppercase_exp, $pass, $o ) < 1 ) {
    		// Check if password has one upper case letter.
    		$errors->add( 'missing_uppercase', __( 'Please make sure you enter your password twice', 'buddypress' ) );
    	} elseif ( preg_match_all( $lowercase_exp, $pass, $o ) < 1 ) {
    		// Check if password has one lower case letter.
    		$errors->add( 'missing_lowercase', __( 'Please make sure you enter your password twice', 'buddypress' ) );
    	} elseif ( preg_match_all( $special_char_exp, $pass, $o ) < 1 ) {
    		// Check if password has one special letter.
    		$errors->add( 'missing_special_char', __( 'Please make sure you enter your password twice', 'buddypress' ) );
    	} elseif ( preg_match_all( $numeric_exp, $pass, $o ) < 1 ) {
    		// Check if password has one numeric letter.
    		$errors->add( 'missing_numeric_char', __( 'Please make sure you enter your password twice', 'buddypress' ) );
    	} elseif ( strlen( $pass ) < 8 ) {
    		// Check if password has certain limit.
    		$errors->add( 'missing_char_limit', __( 'Please make sure you enter your password twice', 'buddypress' ) );
    	}
    
    	return $errors;
    }, 10, 2 );
    
    

    Regards
    Ravi

  • Participant
    Level: Enlightened
    Posts: 88
    Torben Heikel Vinther on #42469

    Thanks again Ravi, but your code doesn’t work on my BuddyBoss setup. As I wrote, it seems that the bp_members_validate_user_password function only works when you register an account and not when you want to change your password from your front-end account.

  • Keymaster
    Level: Yogi
    (BuddyDev Team)
    Posts: 3115
    Ravi on #42472

    Hello Torben,

    Thank you for the acknowledgment. It seems to be an issue with BuddyBoss Platform as BuddyPress uses this filter for both cases.

    Please contact BuddyBoss to fix this.

    Regards
    Ravi

  • Keymaster
    (BuddyDev Team)
    Posts: 24623
    Brajesh Singh on #42480

    Hi Troben,
    Just for the sake of knowledge, BuddyPress 10.0 allows you to use a basic filter or constant to enable it.

    https://bpdevel.wordpress.com/2021/12/29/a-new-constant-to-enforce-members-password-strength/

    This is not available with BuddyBoss.

    Regards
    Brajesh

  • Participant
    Level: Guru
    Posts: 900
    Tosin on #42482

    Hello,

    Thanks Brajesh for the update

    1. Is this filter bp_members_validate_user_password going to be deprecated soon
    2. Is it safe to use Ravi’s code with the new constant define( ‘BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH’, 4 ); without any conflict

  • Participant
    Level: Enlightened
    Posts: 88
    Torben Heikel Vinther on #42483

    Hi Brajesh

    Thanks a lot for the clarification. I wonder if and when BuddyBoss will implement this highly requested security feature…

    /Torben

  • Keymaster
    (BuddyDev Team)
    Posts: 24623
    Brajesh Singh on #42491

    Hi Tosin,

    1. Is this filter bp_members_validate_user_password going to be deprecated soon

    No. There does not seem to have any plan like that.

    2. Is it safe to use Ravi’s code with the new constant define( ‘BP_MEMBERS_REQUIRED_PASSWORD_STRENGTH’, 4 ); without any conflict

    Yes, they will work fine together.

    Regards
    Brajesh

You must be logged in to reply to this topic.

This topic is: not resolved