Forum

Thread tagged as: Question, Problem, Runway

Paranoid Mode Not Enforcing Password Length

I have set define('PERCH_PARANOID', true) but was still able to set a password to 5 characters long. I have also tried: define(PERCH_PASSWORD_MIN_LENGTH: 8) and it still wasn't being enforced.

Diagnostics

Perch Runway: 3.0.8
Production mode: Production (100)
Installed apps: content (3.0.8), assets (3.0.8), categories (3.0.8), perch_blog (5.5.1), perch_forms (1.9.1)
DB driver: PDO
DB tables: perch3_backup_plans (1), perch3_backup_resources (0), perch3_backup_runs (17), perch3_blog_authors (1), perch3_blog_comments (0), perch3_blog_index (268), perch3_blog_posts (11), perch3_blog_posts_to_tags (0), perch3_blog_sections (1), perch3_blog_tags (0), perch3_blogs (1), perch3_categories (29), perch3_category_counts (0), perch3_category_sets (2), perch3_collection_index (13500), perch3_collection_items (908), perch3_collection_revisions (194), perch3_collections (1), perch3_content_index (787), perch3_content_items (206), perch3_content_locks (0), perch3_content_regions (4), perch3_forms (2), perch3_forms_responses (0), perch3_menu_items (12), perch3_navigation (1), perch3_navigation_pages (2), perch3_page_routes (8), perch3_page_templates (20), perch3_pages (10), perch3_resource_log (3066), perch3_resource_tags (0), perch3_resources (1387), perch3_resources_to_tags (0), perch3_settings (29), perch3_user_passwords (4), perch3_user_privileges (35), perch3_user_role_privileges (6), perch3_user_roles (2), perch3_users (4)
Users: 4
App runtimes:
<?php
    $apps_list = [
        'perch_blog',
        'perch_forms',
    ];
Scheduled tasks for perch_blog: delete_spam_comments (1440 mins)
Scheduled tasks for Backup: plan_1 (10 mins)
Editor plug-ins: config.js
H1: e49f2b1f1a5c33f77bf4205325eafb17
L1: 208d4f52e4e802596b1674cc52ed6be5
F1: 0c66c2e1f82f9e0b7617b2cb8270f2c7
content_singlePageEdit: 1
helpURL:
siteURL: /
hideBranding: 1
content_collapseList: 1
lang: en-gb
installedAt: 3.0.8
update_3.0.8: done
headerColour: #000000
headerScheme: dark
update_runway_3.0.8: done
latest_version:
on_sale_version: 3.0.8
dashboard: 0
hide_pwd_reset: 0
keyboardShortcuts: 1
siteOffline: 0
content_hideNonEditableRegions: 0
content_frontend_edit: 0
content_skip_region_list: 0
perch_blog_update: 5.0.1
perch_blog_post_url: /blog/{postSlug}
perch_blog_site_name:
perch_blog_slug_format: %Y-%m-%d-{postTitle}
perch_blog_akismet_key:
perch_blog_max_spam_days: 30
perch_blog_comment_notify: 0
logoPath: /admin/resources/logo.svg
PERCH_DEVELOPMENT: 10
PERCH_STAGING: 50
PERCH_PRODUCTION: 100
PERCH_SITEPATH: /Users/Toby/Sites/create-this
PERCH_SCHEDULE_SECRET: Er5C4HswprZy2Ctk
PERCH_DB_USERNAME: root
PERCH_DB_SERVER: localhost
PERCH_DB_DATABASE: perch_ct_local
PERCH_DB_PREFIX: perch3_
PERCH_EMAIL_FROM: helpus@create-this.co.uk
PERCH_EMAIL_FROM_NAME: Create-This
PERCH_LOGINPATH: /admin
PERCH_PATH: /Users/Toby/Sites/create-this/admin
PERCH_CORE: /Users/Toby/Sites/create-this/admin/core
PERCH_RESFILEPATH: /Users/Toby/Sites/create-this/admin/resources
PERCH_RESPATH: /admin/resources
PERCH_HTML5: 1
PERCH_TZ: UTC
PERCH_CUSTOM_EDITOR_CONFIGS: 1
PERCH_PARANOID: 1
PERCH_PASSWORD_MIN_LENGTH: 8
PERCH_RUNWAY: 1
PERCH_ERROR_MODE: DIE
PERCH_DATE_LONG: %d %B %Y
PERCH_DATE_SHORT: %d %b %Y
PERCH_TIME_SHORT: %H:%M
PERCH_TIME_LONG: %H:%M:%S
PERCH_RUNWAY_ROUTED:
PERCH_STRONG_PASSWORDS:
PERCH_ASSET_VERSION: 5163d57ff611b3cf853b
PERCH_DEBUG:
PERCH_PREVIEW_ARG: preview
PERCH_TEMPLATE_PATH: /Users/Toby/Sites/create-this/admin/templates
PERCH_TEMPLATE_FILTERS:
PERCH_DEFAULT_DOC: index.php
PERCH_DEFAULT_EXT: .php
PERCH_PRODUCTION_MODE: 100
PERCH_XHTML_MARKUP:
PERCH_RWD: 1
PERCH_HTML_ENTITIES:
PERCH_SSL:
PERCH_STRIPSLASHES:
PERCH_PROGRESSIVE_FLUSH: 1
PERCH_FORCE_SECURE_COOKIES: 1
PERCH_DEFAULT_BUCKET: default
PERCH_TRANSLATION_ASSIST:
PERCH_MAX_FAILED_LOGINS: 10
PERCH_AUTH_LOCKOUT_DURATION: 1 HOUR
PERCH_VERIFY_UPLOADS: 1
PERCH_PRIV_ASSIST:
PERCH_AUTH_PLUGIN:
PERCH_DB_CHARSET: utf8
PERCH_DB_PORT:
PERCH_DB_SOCKET:
PERCH_SESSION_TIMEOUT_MINS: 20
PERCH_APPS_EDITOR_PLUGIN: markitup
PERCH_APPS_EDITOR_MARKUP_LANGUAGE: markdown
Hosting settings

PHP: 5.6.30
Zend: 2.6.0
OS: Darwin
SAPI: cgi-fcgi
Safe mode: not detected
MySQL client: mysqlnd 5.0.11-dev - 20120503 - $Id: 76b08b24596e12d4553bd41fc93cccd5bac2fe7a $
MySQL server: 5.6.35
Free disk space: 27.03 GB
Extensions: Core, date, ereg, libxml, openssl, pcre, sqlite3, zlib, bcmath, bz2, calendar, ctype, curl, dom, hash, fileinfo, filter, ftp, gd, SPL, iconv, intl, json, ldap, mbstring, session, standard, mysqlnd, mysqli, PDO, pdo_mysql, pdo_sqlite, Phar, posix, readline, Reflection, mysql, SimpleXML, soap, sockets, exif, tokenizer, wddx, xml, xmlreader, xmlwriter, xsl, zip, cgi-fcgi, imap, gettext, mcrypt, pgsql, pdo_pgsql, igbinary, memcached, mhash
GD: Yes
ImageMagick: No
PHP max upload size: 32M
PHP max form post size: 32M
PHP memory limit: 128M
Total max uploadable file size: 32M
Resource folder writeable: Yes
Session timeout: 24 minutes
Native JSON: Yes
Filter functions: Yes
Transliteration functions: Yes
PHP_FCGI_CHILDREN: 4
PWD: /Applications/MAMP/fcgi-bin
PHP_FCGI_MAX_REQUESTS: 200
__CF_USER_TEXT_ENCODING: 0x1F5:0x0:0x2
ORIG_SCRIPT_NAME: /fcgi-bin/php5.6.30.fcgi
ORIG_PATH_TRANSLATED: /Users/Toby/Sites/create-this/admin/core/settings/diagnostics/index.php
ORIG_PATH_INFO: /admin/core/settings/diagnostics/index.php
ORIG_SCRIPT_FILENAME: /Applications/MAMP/fcgi-bin/php5.6.30.fcgi
SCRIPT_NAME: /admin/core/settings/diagnostics/index.php
REQUEST_URI: /admin/core/settings/diagnostics/?extended
QUERY_STRING: extended
REQUEST_METHOD: GET
SERVER_PROTOCOL: HTTP/1.1
GATEWAY_INTERFACE: CGI/1.1
REDIRECT_URL: /admin/core/settings/diagnostics/index.php
REDIRECT_QUERY_STRING: extended
REMOTE_PORT: 63252
SCRIPT_FILENAME: /Users/Toby/Sites/create-this/admin/core/settings/diagnostics/index.php
SERVER_ADMIN: you@example.com
DOCUMENT_ROOT: /Users/Toby/Sites/create-this
REMOTE_ADDR: ::1
SERVER_PORT: 8888
SERVER_ADDR: ::1
SERVER_NAME: ct.loc
SERVER_SOFTWARE: Apache
PATH: /usr/bin:/bin:/usr/sbin:/sbin
HTTP_COOKIE: cmsa=1; PHPSESSID=50d8b0c29f34dcb71c08c1f6f3ac5823
HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.8
HTTP_ACCEPT_ENCODING: gzip, deflate
HTTP_REFERER: https://ct.loc:8888/admin/core/settings/diagnostics/
HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
HTTP_UPGRADE_INSECURE_REQUESTS: 1
HTTP_CONNECTION: keep-alive
HTTP_HOST: ct.loc:8888
REDIRECT_STATUS: 200
REDIRECT_HANDLER: php-fastcgi
FCGI_ROLE: RESPONDER
PHP_SELF: /admin/core/settings/diagnostics/index.php
REQUEST_TIME_FLOAT: 1502177074.49
REQUEST_TIME: 1502177074
argc: 1
Toby Martin

Toby Martin 1 points

  • 4 years ago
Drew McLellan

Drew McLellan 2638 points
Perch Support

4 years ago

Where and when are you setting the password?
Toby Martin

Toby Martin 1 points

4 years ago

First via the link in the email generated by creating a new user. Then if I log in as that user, I can again set a password below that threshold.
Drew McLellan

Drew McLellan 2638 points
Perch Support

4 years ago

Can you give me the URLs?
Toby Martin

Toby Martin 1 points

4 years ago

Link from email: /admin/core/reset/?token=4vse4q29rz9pklih6avlvqx9puim6u20&new=1

And on the account page: admin/core/account/
Drew McLellan

Drew McLellan 2638 points
Perch Support

4 years ago

For some reason you have PERCH_STRONG_PASSWORDS as false. Not sure why that is, but try:

define('PERCH_STRONG_PASSWORDS', true);
Toby Martin

Toby Martin 1 points

4 years ago

Great, that worked, although define('PERCH_STRONG_PASSWORDS', false); wasn't declared in my config.

On a related note, if I go into the Users sections and choose to resend the link for that user without entering my own password to Authenticate, the form shows a validation error but the email still comes through.
Drew McLellan

Drew McLellan 2638 points
Perch Support

4 years ago

Right, false is the default as most people don't want that functionality.
Toby Martin

Toby Martin 1 points

4 years ago

But shouldn't define('PERCH_PARANOID', true) set PERCH_STRONG_PASSWORDS to true?
Drew McLellan

Drew McLellan 2638 points
Perch Support

4 years ago

It should do yes, and now it does, but in the build you have it wasn't.
Toby Martin

Toby Martin 1 points

4 years ago

Good to know, cheers as always Drew.