XF 1.5 What are the XF minimum password requirements?

[Alpha1]

If a user enters a short password then they get no information except:

1. Please enter a valid password.

It would be useful to inform the user what they are doing wrong.

 

[Xon]

I end up using [kl] Password Tools to provide better feedback & complexity requirements.

 

[Alpha1]

Installing addon number 82...
It keeps amazing me how many addons xenforo requires for basic functions.

 

[Chris D]

If a user enters a short password then they get no information except:

1. Please enter a valid password.

It would be useful to inform the user what they are doing wrong.

Actually, we only give that error if they enter no password.

There is actually no minimum password requirement apart from, well, actually entering one. It can be any password of any length with any characters with a minimum of 1 character.

(The exception, perhaps, is passwords that consist only of spaces, or other whitespace characters, we deliberately strip these from the beginning and end of the password).

Aside from the issue of forcing a certain complexity, which that add-on will allow, I'd have thought it would be patently obvious to someone that "Please enter a valid password" when you've not actually entered one, would be fairly obvious.

Unless you have another add-on that forces a minimum length, in which case I'd agree that having more information in that scenario would be more useful.

On the subject of XF forcing a certain password complexity, I'm unsure we'd actually do that. Password complexity requirements can be incredibly frustrating for users. If anything, we'd probably implement a password strength meter in the future, something like the dropbox/zxcvbn library, that would educate users on a decent password rather than making it a barrier.

 

[whynot]

Password complexity requirements can be incredibly frustrating for users.

They are horrible.
Must be there a digit.
At least one uppercase and one lowercase character.
A special character.
8 digits at least...

 

[Digital Doctor]

Actually, we only give that error if they enter no password.

Which is terrible feedback.

 

[Chris D]

Which is terrible feedback.

"Please enter a valid password" when one hasn't been entered is terrible feedback? Makes sense to me, and I'm certain also to the majority of people. Any suggestions on making it not "terrible"?

 

[Digital Doctor]

When the password is blank, you say it was blank.

 

[Alpha1]

The exception, perhaps, is passwords that consist only of spaces, or other whitespace characters, we deliberately strip these from the beginning and end of the password).

Could you expand on this? What do you mean with whitespace characters? Does this include dashes?

 

[Xon]

If anything, we'd probably implement a password strength meter in the future, something like the dropbox/zxcvbn library, that would educate users on a decent password rather than making it a barrier.

The add-on I linked to wraps a php-port of that the dropbox library in a XF add-on and a few minor config options.

 

[Chris D]

Could you expand on this? What do you mean with whitespace characters? Does this include dashes?

No. A whitespace character is anything that represents a space or similar character, such as an actual space, tab, new line etc.