Skip to content

Commit

Permalink
Merge pull request #279 from humanmade/backport-276-to-v13-branch
Browse files Browse the repository at this point in the history
[Backport v13-branch] Updates to password security page.
  • Loading branch information
mikelittle authored Aug 23, 2023
2 parents 658eaf5 + dd77d36 commit 08dbc4c
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 35 deletions.
35 changes: 0 additions & 35 deletions docs/minimum-password-strength.md

This file was deleted.

58 changes: 58 additions & 0 deletions docs/password-security.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Password Security

## Bcrypt Password Hashing

Altis uses the `wp-password-bcrypt` library (from [Roots](https://github.com/roots/wp-password-bcrypt)) to provide
bcrypt password hashing for WordPress. This library is a drop-in replacement for WordPress' default password hashing
functions, and provides a more secure hashing algorithm.

Altis also allows you to control the minimum password strength required for user passwords, and provides a filter to add
additional password strength checks. See below for more information.

## Minimum Password Strength

To protect against brute force and dictionary attacks, Altis enforces a minimum password strength.

Passwords are scored one of four possible scores:

* Very Weak (score: 1)
* Weak (score: 2)
* Medium (score: 3)
* Strong (score: 4)

By default, passwords which score below 2 (i.e. Very Weak passwords) will be rejected.

To change the minimum password strength, set the `modules.security.minimum-password-strength` setting to a different score (i.e. `3`).

To disable the minimum password strength checks, set the `modules.security.minimum-password-strength` setting to `0`.


## Additional strength checks

To add additional strength checks, the `altis.security.passwords.is_weak` filter is provided. This filters the
boolean `$is_weak` which can be set to `true` to reject a password.

For example, to reject any passwords which contain the word "human":

```php
add_filter( 'altis.security.passwords.is_weak', function ( $is_weak, $password ) {
if ( strpos( $password, 'human' ) !== false ) {
return true;
}

return $is_weak;
}, 10, 2 );
```

The filter receives other parameters which can be used for more dynamic checks; for example, you could require a higher
password strength score for administrators or for specific capabilities.

```php
add_filter( 'altis.security.passwords.is_weak', function ( bool $is_weak, string $password, WP_User $user, array $results ) {
if ( $user->has_cap( 'publish_newsletter' ) && ( $results['score'] < 4 ) ) {
return true;
}

return $is_weak;
}, 10, 4 );
```

0 comments on commit 08dbc4c

Please sign in to comment.