make minimum entropy configurable, update banned password const

ylebre · ylebre · commit 1d2e843e95c1 · 2025-07-02T19:34:40.000+02:00
diff --git a/config.php.example b/config.php.example
@@ -23,14 +23,17 @@
     // won't be locked out after failed login attempts;
     const TRUSTED_IPS = [];
 
+    // Minimum entropy level for a password to be acceptable.
+    const MINIMUM_PASSWORD_ENTROPY = 15;
+
     /**
      * The list is made up of entries from the following sources, and made all lower case:
      *  - https://raw.githubusercontent.com/DavidWittman/wpxmlrpcbrute/master/wordlists/1000-most-common-passwords.txt
      *  - https://nordpass.com/most-common-passwords-list/
      *  - https://www.safetydetectives.com/blog/the-most-hacked-passwords-in-the-world/
      *  - https://www.forbes.com/sites/daveywinder/2019/12/14/ranked-the-worlds-100-worst-passwords/
      */
-    const BANNEDPASSWORDS = [
+    const BANNED_PASSWORDS = [
         '123456',
         'password',
         '12345678',
diff --git a/lib/User.php b/lib/User.php
@@ -81,8 +81,8 @@ private static function isExpired($token) {
 		}
 		
 		public static function validatePasswordStrength($password) {
-			$entropy = PasswordValidator::getEntropy($password, BANNEDPASSWORDS);
-			$minimumEntropy = 50;
+			$entropy = PasswordValidator::getEntropy($password, BANNED_PASSWORDS);
+			$minimumEntropy = MINIMUM_PASSWORD_ENTROPY;
 			if ($entropy < $minimumEntropy) {
 				return false;
 			}

Original file line number	Diff line number	Diff line change
`@@ -81,8 +81,8 @@ private static function isExpired($token) {`
`81`	`81`	`}`
`82`	`82`
`83`	`83`	`public static function validatePasswordStrength($password) {`
`84`		`- $entropy = PasswordValidator::getEntropy($password, BANNEDPASSWORDS);`
`85`		`- $minimumEntropy = 50;`
	`84`	`+ $entropy = PasswordValidator::getEntropy($password, BANNED_PASSWORDS);`
	`85`	`+ $minimumEntropy = MINIMUM_PASSWORD_ENTROPY;`
`86`	`86`	`if ($entropy < $minimumEntropy) {`
`87`	`87`	`return false;`
`88`	`88`	`}`