Password Requirements


We have a client who requires users passwords are at least 12 characters and a mix of numbers and letters with at least one special character.

Is there a way to enforce this?


these are system settings - passwords should however be longer than 12 characters (look at the table)

Thank you! I will check that page out.

Could you mark it as solved? Thx

1 Like

That table assumes that Concrete will suffer of brute force attacks, but that’s not the case.

If someone tries to ctack a password by multiple attepts, their IP address gets blocked for 20 (IIRC) minutes after 3 failures.

And with 9 attempts/hour, even shorter passwords are rather hard to be broken.

Of course, if the website is attacked from thousands of different IPs, cracking passwords may be a little bit easier.

No, it has nothing to do with attacking Concrete.
this table shows how much time it takes to crack passwords in different combinations with today’s computing power, i.e. a 12-character password consisting of uppercase and lowercase letters will take 20 years.

I think that this is valuable information for someone who deals with web infrastructure management, but also for your own security, it is worth knowing how to construct any passwords, not to mention that it is also worth having 2FA.

I hope that someday we will also get 2FA in a package with Concrete CMS

I was reading something on human factors and passwords recently. Perhaps from the NCC or GCHQ.

The argument was that a brute force attack is not the only thing a password needs to protect against and that too much emphasis is placed on randomness with non alpha characters and numbers etc.

It concluded that a longer but memorable string or random-ish words is easier to remember and just as secure as a medium length string of completely random characters.

Such a password is also more memorable, so less likely to get written down on a yellow post it and stuck to the wall above the monitor.

1 Like

that’s right, it’s one of the recommended methods - but the length matters here (as in the table)

If you have the opportunity to see live what methods are used in cybercrime today - I recommend it - it makes an impression and changes the point of view

Don’t do it at home. :wink:

Back to passwords complexity for Concrete.

How would you crack a Concrete password, except with a brute force attack?

I would say “A chain is only as strong as its weakest link”,
it seems like the possibilities are endless. :wink:

Do you have an example of a weak link (always about Concrete)?

Unfortunately, I will disappoint you a bit, I don’t deal with cybercrime, and I see no reason why I should try to hack Concrete, which does not change the fact that I know companies that carry out such audits, the one in the link above also does penetration testing.

Outsourcing this to specialists is the best method, otherwise, it’s a crime - I don’t recommend it, even if you have the knowledge.

Do you have an example of a weak link (always about Concrete)?

As far as i remember 9.1.3 patched some vulnerabilities.

I don’t know where this conversation is going
The topic of security is not a stranger to you, you have a plugin with an SSL key generator in your portfolio, if I’m not mistaken.

Of course we can continue, but aren’t we muddying up the thread?

In a company I worked for many years ago (1980s), nearly everyone recorded their passwords on their office whiteboard.

Much easier than writing a brute force cracker to keep trying their login.

If that company was using Concrete these days, and their password security had not improved, I would zap a picture of their whiteboard with my phone. Password cracked in one.


And in this case, it is the weakest link - which is still in use :smiley:

1 Like