From d53e8de8d3dc5300f3ddbeeb8e0a33181363c986 Mon Sep 17 00:00:00 2001 From: Mike Little Date: Tue, 22 Aug 2023 16:03:56 +0000 Subject: [PATCH 1/2] Updates to password security page. Rename page to be more appropriate. Add information about our use of the bcrypt library. Add second filter example showing how to use the other parameters. Grammar and formatting fixes. --- docs/minimum-password-strength.md | 35 ------------------- docs/password-security.md | 58 +++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 35 deletions(-) delete mode 100644 docs/minimum-password-strength.md create mode 100644 docs/password-security.md diff --git a/docs/minimum-password-strength.md b/docs/minimum-password-strength.md deleted file mode 100644 index ac2bf34..0000000 --- a/docs/minimum-password-strength.md +++ /dev/null @@ -1,35 +0,0 @@ -# Minimum Password Strength - -To protect against brute force and dictionary attacks, Altis enforces a minimum password strength. - -Passwords are scored one of four possible scores: - -* Very Weak (score: 1) -* Weak (score: 2) -* Medium (score: 3) -* Strong (score: 4) - -By default, passwords which score below 2 (i.e. Very Weak passwords) will be rejected. - -To change the minimum password strength, set the `modules.security.minimum-password-strength` setting to a different score (i.e. `3`). - -To disable the minimum password strength checks, set the `modules.security.minimum-password-strength` setting to `0`. - - -## Additional strength checks - -To add additional strength checks, a `altis.security.passwords.is_weak` filter is provided. This filters the boolean `$is_weak` which can be set to `true` to reject a password. - -For example, to reject any passwords which contain the word "human": - -```php -add_filter( 'altis.security.passwords.is_weak', function ( $is_weak, $password ) { - if ( strpos( $password, 'human' ) !== false ) { - return true; - } - - return $is_weak; -}, 10, 2 ); -``` - -The filter receives other parameters which can be used for more dynamic checks; for example, you could require a higher password strength score for administrators. diff --git a/docs/password-security.md b/docs/password-security.md new file mode 100644 index 0000000..d94c2d7 --- /dev/null +++ b/docs/password-security.md @@ -0,0 +1,58 @@ +# Password Security + +## Bcrypt Password Hashing + +Altis uses the `wp-password-bcrypt` library (from [Roots](https://github.com/roots/wp-password-bcrypt)) to provide +bcrypt password hashing for WordPress. This library is a drop-in replacement for WordPress' default password hashing +functions, and provides a more secure hashing algorithm. + +Altis also allows you to control the minimum password strength required for user passwords, and provides a filter to add +additional password strength checks. See below for more information. + +## Minimum Password Strength + +To protect against brute force and dictionary attacks, Altis enforces a minimum password strength. + +Passwords are scored one of four possible scores: + +* Very Weak (score: 1) +* Weak (score: 2) +* Medium (score: 3) +* Strong (score: 4) + +By default, passwords which score below 2 (i.e. Very Weak passwords) will be rejected. + +To change the minimum password strength, set the `modules.security.minimum-password-strength` setting to a different score (i.e. `3`). + +To disable the minimum password strength checks, set the `modules.security.minimum-password-strength` setting to `0`. + + +## Additional strength checks + +To add additional strength checks, the `altis.security.passwords.is_weak` filter is provided. This filters the +boolean `$is_weak` which can be set to `true` to reject a password. + +For example, to reject any passwords which contain the word "human": + +```php +add_filter( 'altis.security.passwords.is_weak', function ( $is_weak, $password ) { + if ( strpos( $password, 'human' ) !== false ) { + return true; + } + + return $is_weak; +}, 10, 2 ); +``` + +The filter receives other parameters which can be used for more dynamic checks; for example, you could require a higher +password strength score for administrators or for specific capabilities. + +```php +add_filter( 'altis.security.passwords.is_weak', function ( bool $is_weak, string $password, WP_User $user, array $results ) { + if ( $user->has_cap( 'publish_newsletter' ) && ( $results['score'] < 4 ) ) { + return true; + } + + return $is_weak; +}, 10, 4 ); +``` From dd77d3698483262ddf0d449b420f01d39177b842 Mon Sep 17 00:00:00 2001 From: Mike Little Date: Tue, 22 Aug 2023 16:14:43 +0000 Subject: [PATCH 2/2] Fix example code indentation. --- docs/password-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/password-security.md b/docs/password-security.md index d94c2d7..c714e47 100644 --- a/docs/password-security.md +++ b/docs/password-security.md @@ -50,7 +50,7 @@ password strength score for administrators or for specific capabilities. ```php add_filter( 'altis.security.passwords.is_weak', function ( bool $is_weak, string $password, WP_User $user, array $results ) { if ( $user->has_cap( 'publish_newsletter' ) && ( $results['score'] < 4 ) ) { - return true; + return true; } return $is_weak;