Request: Password field allows spaces

[darrenc]

Please consider this a formal request and/or a question about why we are not allowed to use spaces in passwords in the admin.

Doesn't adding a few spaces to a password or passphrase significantly increases its security? Even the horrible example "This is my password." is much more secure than most passwords people pick for themselves (Possible Combinations: 10,596,610,576,391,421,000,000,000,000,000,000,000), more secure than the same characters sans-spaces, and likely easier and more natural to type.

Personally, I'd rather have a length requirement than be forced to use a digit and no spaces. Everyone has their own methods I suppose, so I was wondering if someone could shed some light on this?

[SiNNuT]

Good request and seconded. On websites that do allow i choose my passwords on regular words based on at the moment thoughts or observations. Just make sentences. I i were to chose one now it would maybe be:

60W lightbulb on the ceiling.

Good luck cracking that http://lifehacker.com/5796816/why-multiword-phrases-make-more-secure-passwords-than-incomprehensible-gibberish

While we're at it; i would also like users to be able to login with username or email adres.

[kongondo]

While we're at it; i would also like users to be able to login with username or email adres.

Logging in with email address has bee asked before (I think more than once?) and was not granted...can't find the topic now but it was mindplay. Ryan suggested to use a module instead. Mindplay ended up creating a module to do this...I'll search and post here if I find the thread..This is about ADMIN LOGIN. If you are talking frontend, please ignore me ;-)

http://processwire.com/talk/topic/1838-login-using-e-mail-rather-than-username-and-general-login-issues/

Related:

http://processwire.com/talk/topic/4552-user-names/

Edit: added link to thread + related stuff...

[ryan]

I have no problem with spaces in passwords. Can't say I've ever thought to put spaces in passwords, but it makes sense. I'll update to support that the next time I'm in the code for that module. As for logging in with email address, PW uses the username as the unique key for all users. Users are pages, so this is for consistency with the pages system as a whole. I think maintaining this consistency is preferable in keeping the whole thing as simple as possible. Not to mention, 'name' is a built-in property of every page, whereas 'email' is just a custom field in the template (it's technically possible for it to not exist). 

[lpa]

I would also like to see that the requirements of the password complexity could be defined without hacking the core.

[netcarver]

@Ipa, are you wanting to be able to define something like a password policy for a site? If so, would a module be more suitable for this? Maybe Ryan could introduce a hookable "check password policy" method (if there isn't one yet) that gets called when setting/changing a password?

Anyway, I'm not sure that the core is the right place to implement a password policy interface.

[Craig]

The Holy Grail would be to surface the complexity options in the module configuration page for the Inputfield or Fieldtype

[darrenc]

Yeah I was thinking Ipa's suggestion could be handled at the field configuration level when revealing the "pass" field which comes by default. I guess that's probably what you're saying craig but one level lower?

[*Most Powerful Pony!*]

and allow just a-z or 0-9 please

[Martijn Geerts]

@*Most Powerful Pony!*

Don't know if i'm happy with that. If you want "just a-z or 0-9" you can do it with the api.

But some kind of restriction for editors, make me sleep well at night.