Ver 2.53, how to disable check against password list or use password anyway

4 posts by 3 authors in: Forums > CMS Builder
Last Post: April 12, 2013   (RSS)

By Codee - April 11, 2013

I have a client that just got upgraded to ver2.53. They have some user accounts that get disabled/reenabled from time-to-time. One of the users was just re-enabled and the new system will not allow the password (that they've always used) and is forcing a more secure password.  Customer would like this feature either: disabled completely or have it "allow password anyway". How can this be done...except maybe for deleting/modifying the 10,000 item password list?

By Jason - April 12, 2013

Hi,

Like Greg said, the one of the issues with changing CSMB source code is that an upgrade will overwrite the change.  One issue with returning an empty string is that it would stop all errors from being returned, effectively allowing people to create blank passwords.

The really quick option would be to open login_password_blacklist.txt and either remove the password in question from the list, or all passwords, leaving a blank file.  As with the other change, this will be overwritten in an upgrade.

A better solution would be to set up a simple plugin that uses the login_newPasswordErrors filter hook.  This hook takes in the error array and the password text.  You can then search through the error array for the string "Password found in list of "most common passwords", please choose a more secure password." and remove that array element.  Always make sure you return the array at the end of the call.  This would allow you to implement this change without modifying the source code.  It will also still work in an upgrade.

Please note that this is still not recommended as this will allow the users to create unsafe passwords.

Hope this helps

---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

By Codee - April 12, 2013

Thanks to both of you - Greg and Jason.

I think for this client the best route is to remove the "offending" blocked password.

Cheers!