Add notes about not all password strength drivers supporting score up to 5 (#9751)

2026-02-20 01:21:20 +01:00 · 2025-01-26 15:04:17 +01:00
parent 454a6e13a1
commit fa1f3bd852
2 changed files with 3 additions and 2 deletions
--- a/plugins/password/README
+++ b/plugins/password/README
@@ -446,14 +446,14 @@

 Driver using "Have I been pwned?" (https://haveibeenpwned.com/Passwords) API to
 check that entered passwords aren't already compromised (i.e., commonly known).
- The check is performed locally, the actual password is *not* transmitted anywhere else.
+ The check is performed locally, the actual password is *not* transmitted anywhere.

 Example configuration:

 $config['password_strength_driver'] = 'pwned';
 $config['password_minimum_score'] = 3;

- See the driver implementation file for more documentation.
+ Maximum supported score for this driver is 3. See the driver implementation file for more documentation.


 3. Driver API
--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@@ -22,6 +22,7 @@ $config['password_minimum_length'] = 8;

 // Require the new password to have at least the specified strength score.
 // Note: Password strength is scored from 1 (week) to 5 (strong).
+// Note: Some strength drivers (e.g. pwned) do not support full range.
 $config['password_minimum_score'] = 0;

 // Enables logging of password changes into logs/password