Many of the leading WordPress security plugins have the ability to force/require strong passwords for users. But one of the requests I’ve received from people is if there is a way to require passwords to be of a certain length. It seems that some users who work with clients are finding that some clients will reset a password to something “easier to remember” but not entirely secure, or the developer is trying to enforce a specific “password policy” and one of the aspects of a policy specifies a certain number of characters.
How to Set a Password Length Requirement
Setting a password length requirement is fairly easy since WordPress already provides a hook that occurs before a password is actually reset. The hook is validate_password_reset, and it allows developers to verify aspects of the user entered password before passing it through the password reset function.
Here is an example code snippet:
[snippet slug=password-length-checker lang=php]
The basics of this function (which can be placed in an active theme’s functions.php file or a custom plugin) are as follows:
- The WordPress hook being used is validate_password_reset.
- The function is comparing the value entered into the password reset box (pass1-text) and checking the length of that string (strlen) and making sure that if the entered password value is less than 12, then the following $errors will be rendered out on the screen.
- And since there are “errors” in the password reset process, the process does not continue and returns to the screen to allow the user to try again to create a password that “passes the test.”
You can try this out on your own site by creating a test user, then proceed to reset the password with a shorter password value.
While there are plugins that may perform this functionality, if you can do it with this simple code snippet, why clutter the plugins area with unnecessary plugins.
If you enjoy or find these types of posts useful, please let me know or request a type of tutorial/code solution in the comments below.