Ver 2.53, how to disable check against password list or use password anyway

4 posts by 3 authors in: Forums > CMS Builder
Last Post: April 12, 2013   (RSS)

By Codee - April 11, 2013

I have a client that just got upgraded to ver2.53. They have some user accounts that get disabled/reenabled from time-to-time. One of the users was just re-enabled and the new system will not allow the password (that they've always used) and is forcing a more secure password.  Customer would like this feature either: disabled completely or have it "allow password anyway". How can this be done...except maybe for deleting/modifying the 10,000 item password list?

By gregThomas - April 12, 2013

Hi,

There isn't a way you can disable this feature within the CMS, or allow insecure passwords. But you can make a change to the CMS Builder core files to get around it. If you go to cmsAdmin\lib\login_functions.php and make the following change on line 142:

  // allow plugins to add additional password rules
  $errors = applyFilters('login_newPasswordErrors', $errors, $passwordText);

  // return error text, use nl2br(htmlencode($errors) to covert to html
  $errors = implode("\n", $errors);
  if ($errors) { $errors .= "\n"; }
  return ''; 

Then even if an insecure password is detected the error will not be returned.

I really wouldn't recommend disabling this feature, as it increases your CMS Admin areas vulnerability to being hacked. Also, as this is a change to a core CMS Builder file, the change will be lost if you upgrade CMS Builder.

Let me know if you have any questions.

Cheers

Greg

Greg Thomas







PHP Programmer - interactivetools.com

By Jason - April 12, 2013

Hi,

Like Greg said, the one of the issues with changing CSMB source code is that an upgrade will overwrite the change.  One issue with returning an empty string is that it would stop all errors from being returned, effectively allowing people to create blank passwords.

The really quick option would be to open login_password_blacklist.txt and either remove the password in question from the list, or all passwords, leaving a blank file.  As with the other change, this will be overwritten in an upgrade.

A better solution would be to set up a simple plugin that uses the login_newPasswordErrors filter hook.  This hook takes in the error array and the password text.  You can then search through the error array for the string "Password found in list of "most common passwords", please choose a more secure password." and remove that array element.  Always make sure you return the array at the end of the call.  This would allow you to implement this change without modifying the source code.  It will also still work in an upgrade.

Please note that this is still not recommended as this will allow the users to create unsafe passwords.

Hope this helps

---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/