[5.2] Password Strength Symbols

[brianteeman]

The script used to check for symbols in a password contains a limited set of symbols.

Pull Request for Issue #41552 .

Summary of Changes

This PR updates the script to ensure that all of the the list of special characters/symbols provided by OWASP are also included. They are the punctuation characters that are present on standard US keyboard.
The entire set of special characters/symbols is now @$!#?=;:*-_€%&()`´+[]{}'"|,.<>/~^

I added the additional comment to the licence so that it is clear that the script has been changed from the original which probably should have been done earlier when the regex was updated to include @

Testing Instructions

This change will require using a prebuilt package or npm ci to test

Set the password requirements in the User Options Password Minimum Symbols to 1

Try to create a password containing letters and one or more symbols from this list
+[]{}'"|,.<>/~^

Actual result BEFORE applying this Pull Request

The password will be rejected

Expected result AFTER applying this Pull Request

The password will be accepted

Link to documentations

Please select:

• Documentation link for docs.joomla.org:

• No documentation changes for docs.joomla.org needed

• Pull Request link for manual.joomla.org:

• No documentation changes for manual.joomla.org needed

[ceford]

I have tested this item ✅ successfully on 388d8e3

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43484.}

[viocassel]

I have tested this item ✅ successfully on 388d8e3

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43484.}

[alikon]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/43484.}

[Quy]

Please fix javascript cs https://ci.joomla.org/joomla/joomla-cms/76291/1/20

[brianteeman]

i will not be at a pc for the foreseeable future - feel free to update it directly

[pe7er]

Thank you @brianteeman and @Quy !

[ghost]

The symbol "_" is not correctly recognized as a sybmol, so password "0123456789_Aa" is incorrect and throw error that mininum 1 special character (symbol) is required (only after registration form submit). Progress bar is green while paste password. Can You fix that ?

[brianteeman]

@MaverickPOZ please do not comment on closed PR - hardly anyone will see it. Please create a new issue

[petrovicivan]

Default installation shows 0 in Password Options->Minimum Symbols

[ghost]

And so what ? This is default ... Please put 1 in that field and use _ in password.

[petrovicivan]

https://docs.joomla.org/J5.x:Enhancing_Password_Security_with_Symbolic_Characters#Additional_Notes

This change applies to all Joomla 5.2 installations. Administrators should ensure that the password requirements are updated in the configuration to take full advantage of the enhanced security features.

For the end-user enable by default would be better option

[ghost]

Ivan, I have fresh J5.2 and nothing change - please provide password with symbol _ "TestPassword123With_" at https://demo.webster-studio.pl/login?view=registration - the bar is green but after submit form the error with "no symbol" appear.

[ghost]

[ceford]

This is a separate issue. The client side password has passed validation there but the server side uses this:

$nsymbols = preg_match_all('[\W]', $value, $smatch);

on line 133 of libraries/src/Form/Rule/PasswordRule.php - I think underline does not count as a non-word character.