Login Form Forgotten Password link does not have a password strength

This topic has 5 replies, 2 voices, and was last updated 6 days, 2 hours ago by sg123.

Viewing 6 posts - 1 through 6 (of 6 total)

Author

Posts
February 25, 2025 at 1:51 AM #47733

sg123
Participant

I am using the login form and during my testing I have clicked on the forgot password link.

It sends me an email to reset my password which takes me back to the login form but using the url variable ?rwmb-reset-password=true with the change password key and the email address.

This is all fine except I cannot find anywhere to specify the password strength for this form and on testing it allows me to set the password as a single character which is obviously not acceptable. Can you please advise where I can control the password strength for the reset password using the login form?

Add New Note to this Reply

February 25, 2025 at 3:08 AM #47735

sg123
Participant

Just to also let you know I wondered if you guys were using the same method for your own website and you do. I was able to change my password to 123. Obviously I have reset it to something stronger but surely this is an oversight or perhaps a bug after the last update?

Add New Note to this Reply

February 25, 2025 at 11:09 PM #47738

Peter
Moderator

Hello,

Thank you for your feedback.

You are correct. The password field in the reset password form doesn't have the password strength option.
https://docs.metabox.io/fields/password/

If you can use the filter hook, you can check the filter rwmb_profile_reset_password_fields to adjust the password field of the form and add some custom attributes to the field settings like minlength, pattern ...
https://docs.metabox.io/custom-attributes/

The code to create the form is located in the file
/wp-content/plugins/meta-box-aio/vendor/meta-box/mb-user-profile/src/DefaultFields.php

Add New Note to this Reply

February 26, 2025 at 1:48 AM #47741

sg123
Participant

Can you let me know how I would go about adding the strength option to the field? It works for the register form so not sure why it can't be used for the reset password form as they use the same input fields with the same names? I need to get this working as soon as possible.

Add New Note to this Reply

February 26, 2025 at 9:00 PM #47745

Peter
Moderator

Hello,

The reset password form has different settings, it doesn't use the same settings as in the register form. I will inform the development team to consider supporting the password strength in the reset password form.

If you are familiar with coding, you can follow my suggestion above to use the filter hook rwmb_profile_reset_password_fields and set some custom attributes to the field.

Add New Note to this Reply

February 26, 2025 at 9:08 PM #47747

sg123
Participant

Thanks for getting back to me.

I ended up adding my own javascript to control this as the custom attributes didn't give me what I needed. TBH I'm surprised this isn't supported as it makes for an insecure site when the user can change their password to something so weak as '123'.

Add New Note to this Reply
Author

Posts

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.