Forum Documentation Showcase Pricing Learn more

Enforcing password policy?


#1

I’d like to force my users to generate a password that meets minimum security rules.

I have a text field for setting one’s password. I also have a text field for checking if the password is valid.

A password say under 8 characters should be invalid according to my password policy. However, the password is valid check always evaluates to “yes” even when the password field is blank.

How do I enforce the password policy I setup?


#2

You can use the condition formatting I suppose


#3

I have a condition on it, but it’s evaluating as ‘yes’ when it shouldn’t.


#4

Hey @kramwe :slight_smile: I ran into this the other day too - I think it may be a bug. I set up another condition which manually checks ‘Password Input’s value:number of characters is greater than or equal to 8’, as a temporary workaround to stop it from always evaluating to ‘yes’.


#5

Thanks. I’m bringing this to the bubble team’s attention.


#6

Are you sure you checked the box ‘Check the password while typing’? If you don’t the check will only happen server side.


#7

:open_mouth: :open_mouth: :open_mouth:


#8

Hi All,
was looking to extend the password policy offered by Bubble, so working on the plugin for that: https://yamedia.bubbleapps.io/ympasswordpolicy

The difference between Bubble’s and this one - you can really define your policy by setting minimum numbers of specific characters required (digits, capitals, lowercase, special), as well as maximum length of the password. In return you get list of messages about your password.
Since the differences are not too many - let me know what other features would be useful for you, so I can add them before releasing.


#9

@emmanuel - I just tested this and this 1/2 works.

When
image

Then I tested:

  • If the password is empty, password is valid evaluates to “yes”
  • If password is >1 digit, password is valid now evaluates to “no”

So, 2 thoughts:

  1. The fix = check the password while typing & on workflow enforce PWD isn’t empty. (Why doesn’t “this input should not be empty” seem to work?)
  2. This is important and the feature is not intuitive. Wonder how many bubble apps implement it incorrectly. Why not design the password is valid to default to “no” if PWD is blank or fails policy?

I have a test page I could chat you if you’d want to test inputs for yourself.


#10
  1. that’s the correct behavior, we do not mark the input as invalid when it’s empty.

  2. the check is implemented on the server regardless, this is only a visual/UX thing. We had to do this for apps that didn’t implement a policy initially, otherwise users wouldn’t be able to modify their passwords.


#11

@emmanuel, when ‘This input should not be empty’ is checked and the password is empty, does password is valid = ‘yes’? My assumption is that when the password field is blank, the password is invalid.


#12

Yes, in Bubble empty and and invalid are two different concepts (though you can combine then in a condition). And again, on the server, when signing a user up, if the password is empty, that will fail.


#13

So what do “This input should not be empty” do? When this is checked, shouldn’t password be invalid = yes if the password field is blank?


#14

“This input should not be empty” has nothing to do with the password, all it does is prevent a button (or text, or whatever) from being clickable if it’s referencing that input field.


#15

This is great — now how do we inform the user that they are not conforming to the password policy? I don’t see a ‘failed password check’ condition that would allow me to pass a message back to the user…


#16

As a conditional on an element existing on the same page:

ce6f79e1e3c514dadf980e94846c8bcf


#17

Got it. Thanks @philip