Enforcing high strength passwords

joanaranda

Is there any way to enforce high strength passwords in Flarum? In my opinion, having the only restriction for passwords to be at least 8 characters long is not enough for current hackers.

I have already read both Tackling "the spam problem" and Any good extensions which help prevent and fight spam?, so I understand all the options to filter suspicious requests or block potentially dangerous attackers. However, a chain is as strong as its weakest link and I consider that letting people set weak passwords is a real threat.

I installed GB Password strength. However, their extension warns users about weak passwords, but they don't prevent that they are finally set. I asked in their discuss forum thread and @iPurpl3x from @glowingblue already replied that it is not in their plans to add this functionality.

Is there any other extension to enforce strong passwords? Any suggestion? How other forum owners are handling this? It is hard for me to believe that I am the only forum owner concerned about this.

I am quite aligned with this old request from @Dominion: Password strength checker?. I can understand that neither core nor extension developers can act on all the proposals, but from my ignorance, it looks like such a common concern that I wonder how other people are addressing this issue.

Any help or advice will be welcome...

Nearata

joanaranda

i've made this

https://github.com/Nearata/flarum-ext-password-strength-enforcer

it re-check the password with a php port version of zxcvbn. Sadly, zxcvbn-php, is not an exact port of the javascript library. This means that it might occur that a yellow level bar in frontend is instead a red "level bar" password in backend. This result is uncommon/rare, but i think that's a negligible.

luceos

This could be a feature. I think that two factor authentication has increased the difficulty of hacking accounts by a good amount though. So perhaps that has reduced the need for such an enforcement layer on the password. I do think this could be a feature, I don't think it should be the obligation of core as different communities can have different requirements.

I found this one by the way: https://extiverse.com/extension/nearata/flarum-ext-twofactor

joanaranda

Thanks for your prompt reply, @luceos.

I fully understand your point, but at least in my project, I think that many users will refuse to create an account if they see that two factor authentication is enforced.

What I've learned through different past projects, is that users tend to accept quite easily the extra effort of two factor authentication when their data is in risk, but not when you are in trouble.

If someone breaks their password through brute-force attacks, the forum admin is who will have to deal with any potential spam. It is unlikely that attacks are against user's data, as not much confidential information from the user, apart from the email address, is in risk. Thus, I think that many potential users will simply prefer not to join if they see that will will have to run this extra mile to connect.

I felt a little bit surprised to see that with so many extensions available, none is covering this situation, as I thought that it would be a quite broad issue. I was even more surprised to see that even the extensions that warn that a password is weak, let the users shoot their own foot afterwards. I fully understand that most of the effort here is handled by volunteers, so there is not much I can do, but I admit that I expected that it was a much broader concern in the community.

Thank you, anyway. I really appreciate your time.

joanaranda

Awesome, @Nearata!

I've already installed your extension. It is great!

Giving early notice about the security of a password is nice. However, making sure that only secure passwords are accepted is what really helps to protect the overall system.

Thank you for your meaningful contribution to the flarum community!

·· joan