Perch 'Paranoid' Security mode queries

  • I have a client who wishes to implement a raft of security features on two of their sites. Some of the basic items can be achieved via the Perch 'paranoid' security mode, but I couldn't immediately see the details for the following. Hopefully someone can let me know the details:

    • What are the rules for the 'strong' password rule set? Does the rule set just require one uppercase and one numeric or something else? When changing a Perch user password that doesn't satisfy the rules there's no detail given to admin users on what's required - just 'That password has too many lower case characters. Mix it up a bit.'.
    • Whilst minimum password length can be set, is there a way to easily show this specific length in Perch so that admin users are aware of the rules/requirements, rather than just the statement 'That password is too short. Make it longer'?

    Everything else that's needed by the client will require specific development, but the two above would be handy to know answers for in advance of any deeper delving.

    thanks

  • drewm

    Approved the thread.
  • Strong passwords enforces the following

    1. Passwords must be longer than PERCH_PASSWORD_MIN_LENGTH setting
    2. Password cannot be the username, the reverser of the username, or the username with common substitutions
    3. Password must contain a mix of uppercase, lowercase, numbers and symbols - at least two characters of two different classes
    4. For existing users, password cannot be reused within 6 months

    There's not an easy way to show the password length due to quirks of where this validation occurs and the translation system. You can, however, make use of the translation system to customise the message.