Password Policy: Add hook_password so generated passwords must meet current Password Policy enforced policies

Created on 8 April 2020, about 5 years ago
Updated 7 April 2024, about 1 year ago

A given application has both password_policy and genpass modules. Currently, majority of the time, the generated password satisfies the currently selected password policy, but in the off-chance cases where it does not, the user is given a message like:

and the user is not actually created yet. Workaround is to submit again. No big deal, but #UX is the buzzword here :)

Proposed solution:

Genpass exposes a hook_password and a configuration option to select a password generation algorithm to return a string. It would be nice to wrap a password generation function with validation against "the currently active policy" provided by Password Policy via a proposed password_policy_policy which only returns a generated password that meets the active password policy.

I see a similar 6.x request #872756: Auto-generated Passwords Don't Take Policies Into Account closed as won't fix. I am opening this feature request anew as it is possible something has changed since then.

Feature request
Status

Postponed: needs info

Component

Code

Created by

🇺🇸United States texas-bronius

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇺🇸United States Kristen Pol Santa Cruz, CA, USA

    Thanks for creating this issue.

    I'm going through all the 8.x issues.

    As the 8.x is no longer supported, I'm postponing this issue for now and need feedback as to whether or not this issue is relevant to 4.0.x.

    If it is, please reopen and change the version, and make sure the issue summary is clear and complete, including concrete steps to reproduce. If it's not, please close.

    If there is no response to this in a month addressing the above, it can be closed.

  • 🇭🇺Hungary fox mulder

    The issue still exists when using Password Policy 4.0.3 together with Generate Password 2.1.2.

    Here is how to reproduce the problem:

    Enable the Generate Password module with its default settings, except for one change: on the page /admin/config/people/accounts, in the "Generate Password - User Account Registration" section, set "Admin password entry" to "Admins cannot set a password when creating or editing an account." This will hide the password field on user registration form.

    Set up a basic password policy with at least one constraint, such as "Password character length", requiring the password to be at least 1 character long.

    Now, when an admin tries to create a new user, everything should work fine unless they accidentally use an existing username or email address. In that case, even though the generated password most likely satisfies the policy, the following error messages appear:

    "The password does not satisfy the password policies."

    "Password length must be at least 1 character."

    These errors are misleading and suggest that the password generated by the genpass module is somehow invalid. I believe this is the same issue originally reported.

Production build 0.71.5 2024