Chapter 3. Password Control Usage

This section describes the various plugin options.

Configuration

The plugin configuration is illustrated below.

Once all parameters have been specified save them to take effect. Remember that the plugin also has to be enabled!

Plugin Configuration

When entering the administrator plugin screen for the Password Control system plugin, the following screen will be displayed. Note that the text displayed will vary between releases.

Figure 3.1. Administrator Plugin Screen

Administrator Plugin Screen

Clicking upon the various links will navigate to the specified screen. For example clicking upon the 'Changelog' will show a popup window with the changes for each release. An example of the changelog display is shown in the figure below:

Figure 3.2. Plugin Changelog

Plugin Changelog

Basic Settings

The following screen shows the configuration parameters part of the plugin screen for the system plugin. It is here that one specifies the details of how often passwords should be changed, how many passwords are we retaining per user for checking etc. Most of the required parameters are self evident and do not require any further explanation here.

Hovering over the parameter label with the mouse will display a tooltip for the particular parameter, with more details if appropriate.

Figure 3.3. Basic Control Settings

Basic Control Settings

The displayed users and user groups illustrated in the above display will be different for each site, as the users and usergroups are dependant upon those configured and registered on the particular site.

The use of the 'Force on First Logon' parameter is useful when a 'weak' password has been supplied by an administrator when setting up an account. It is suggested that if the Password Generator is used that it is probably not necessary to force the user to change their password yet again on first logon.

[Note]Note

The 'Unique Change Date' parameter has a specific ability to force all uses (except exempt users) to change their passwords on a specific date. This parameter is specified in the usual way, but when the parameter is handled by the front end in normal operation it will modify the plugin control table for the required users and then 'reset' the plugin parameter back to a null value. This is intentional so that the user is not continually forced to change their password if a date in the past is specified.

Release 0.1.3 adds an additional option to force the user to change their email address upon initial login. Some sites using components such as eshop virtuemart, have a situation where they provide their customers with free logins. They create a number of logins with usernames such as the name of the shop + a client number, a password of 12345 and with a created email address similar to ZK1504-01@ourdomain.com. When the user logs in there is a need to force the customer to change their password, and this option that will force the mandatory email change on first login. We need to force the email change otherwise it is suspected that it will be overlooked. The change is only required for the initial login and a check for the previous email is not necessary. Email validation is performed by Joomla.

It is possible to specify specific users, or even specific groups of users that are exempt from being forced to change their passwords periodically. This might typically be applied for internal support staff for example.

Release 0.1.2 extended this so that the exempted users/groups are also able to reuse their previously specified passwords as well.

Form Field Settings

These settings control the display of the 'other' fields upon the User Profile Edit Form. These include the 'username', 'name' and the email fields. Some sites may desire to hide these fields either to make it 'simpler' for the users' or because they are not used on the site.

It is also possible to add an additional 'informational' field to the form. This might be used to provide some additional instructions to the users, such as the form that a suppled password has to take.

Figure 3.4. Form Field Settings

Form Field Settings

The specification of the 'informational' field can make it more obvious to the user the format requirements of the password field. The only other method, which was previously available of providing the user with this sort of information was by changing the tooltip text that is displayed when the mouse hovers over the 'password' field, which it is acknowledged is not always so obvious to most users.

If the option to force a user to change their email address upon initial login is chosen then the email address field will be displayed when the user initially logs in. The option to hide the address is not enforced in this particular situation.

Password Criteria Check Settings

Figure 3.5. Password Criteria Check Settings

Password Criteria Check Settings

There are four separate parts to the Password Criteria. The first is whether a check should be performed to prevent the user's name and site username from being in the specified password.

The second is whether a check should be performed upon the email address being contained within the specified password.

The next part is where the majority of the checks are specified.

The password criteria checks can check for the following:

  1. At least one numeric character. i.e. 0 -> 9

  2. At least one lowercase character. i.e. a -> z

  3. At least one uppercase character. i.e. A -> Z

  4. At least one special character. i.e. !, #, @, % etc.

  5. The minimum length of the required password. Default 8. The longer the better.

  6. The minimum required entropy of the password. Entropy is defined as a measure of the uncertainty in a random variable and is a common and easy way to estimate the password strength.

    The entropy is given by H = L log? N where L is the length of the password and N is the alphabet size, usually measured in bits.

    The entropy measures the number of bits it would take to represent every password of length L under an alphabet with N different symbols.

    i.e. a password of 7 lower-case characters (such as: example, polmnni, etc.) has an entropy of H = 7 log? 26 ~ 32.9bits.

    A password of 10 alpha-numeric characters (such as: P4ssw0Rd97, K5lb42eQa2) has an entropy of H = 10 log? 62 ~ 59.54bits.

    Higher entropy means stronger password (in terms of resistance to brute force attacks). Enter 0 to disable this check.

  7. The maximum number of the any specific character within the specified password. Enter 0 to skip this check.

  8. Maximum number of identical consecutive characters in the password. 1 indicates that there should be no identical consecutive characters. Enter 0 to skip this check.

The fourth and final part is whether a one line message about the determined strength of the supplied password should be displayed. This is also an optional display. There is a range of ten possible values for the determined strength of the supplied password.

Password Generator Settings

Figure 3.6. Password Generator Settings

Password Generator Settings

Most of the parameters are reasonably obvious as can be seen in the figure above.

The administrator can decide whether they wish to have the back end User Edit screen display the 'Password Generator' button.

The controls over the size of the Dialog box popup window are provided for the administrator to specify which will depend upon the length of the information strings included in the dialog box. Note that the display itself will depend upon the site template (front end and back end) CSS settings.

Because the Generator Dialog window is using jQuery there are options to specify the version of jQuery to use and the location from where the files will be downloaded. The default is to make use of the (currently) latest version from a Content Delivery Network (CDN).

[Note]Note

The jQuery setting is ignored for Joomla 3.1 sites. The reason is that this version of Joomla comes with Bootstrap and jQuery already present so any specified setting is ignored.

The code also checks whether jQuery has previously been loaded in the template and if it has, will silently ignore any specified value and use the previously loaded version.

The display of the Dialog box is controlled by the 'theme'. Various alternative themes are available and it is only necessary to specify the specific required theme in the parameters. See http://jqueryui.com/themeroller/ for some possible themes that one may choose. The default is the 'start' theme.

Alternative dialog window code

One particularly nasty problem was seen when testing the plugin upon a site template based upon Bootstrap 3 which included a piece of jQuery code known as mmenu used for the display of on and off screen mobile menus. The problem was traced down to a coding conflict between jQuery-ui and mmenu which was difficult to discover due to the lack of any error information and indeed any indication of what the possible cause might be. The symptoms were such that the jQuery-ui dialog window would be shown to the user but that it was impossible for any user selection to occur, or indeed for the user to be able to perform any action except to refresh the page.

The solution was to stop using the jQuery-ui code and instead substitute a different jQuery plugin known as 'jQuery.bootstrap'. This has the effect of resolving the specific conflict, but also creates a slightly different 'look' to the dialog window.

The 'jQuery.bootstrap' code is based upon Bootstrap 3 so worked flawlessly in our tests with a Bootstrap 3 site template. A new parameter has been provided to enable the use of this jQuery plugin instead of the jQuery.ui code.

Testing with Bootstrap 2 based templates such as 'protostar', indicates that the dialog window also works so it is suspected(and subsequently confirmed) that it is the 'mmenu' code that is the contributing party to the problem, not the Bootstrap code.

The admin back end continues to make use of the jQuery.ui interface.

Go To Top

Joomla! Debug Console

Session

Profile Information

Memory Usage

Database Queries