With cyber security becoming a larger concern to businesses online I thought I would write a blog post on how you can ensure that passwords are strong enough on customer accounts.
When customers register for an account on a default OpenCart installation, the only requirement seems to be that the password is longer than 4 characters (yes, just four!) and less than 20. Whilst it is up for debate whether there should be a much higher upper limit on the length of passwords, for the case of this blog we will just be looking at forcing the use of specific characters to make passwords more secure rather than focusing on the top limit of characters.
Open up the following file:
- catalog/controller/account/register.php
Towards the bottom of the file there is a section of code which validates the password input section. This is the code which we are going to adapt to make more secure.
|
1
2
3
|
if ((utf8_strlen($this->request->post['password']) < 4) || (utf8_strlen($this->request->post['password']) > 20)) {
$this->error['password'] = $this->language->get('error_password');
}
|
Below is a custom validation block of code which ensures that the password field has a number, a letter and a symbol. It also ensures that the password field is at least 8 characters long which I think is an acceptable minimum length rather than 4! Just replace the above with the code below to ensure customer passwords are strong enough.
|
1
2
3
|
if (!preg_match('^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=])(?=\S+$).{8,}$', $this->request->post['password'])) {
$this->error['password'] = "Please ensure that your password contains a number, a lowercase letter, and upper case letter, a symbol and is longer than eight characters";
}
|
Obviously, store owners will want customers to create strong passwords so they have to deal less with customers claiming their account has been compromised and the added security on passwords in the event of a breach. I think everyone can agree that asking customers for a four character password without checking it is not a secure system so with this short blog you can ensure customers make the right strength passwords.