Welcome to PotatoCommerce - Magento Extensions Store

Home > Blog > Magento 2 Password Meter

How to Configure Password Meter in Magento 2

Posted on 13 July 2018

The password strength meter helps customers to create a complex and secure password, as it forces customers to use a long password that must contain uppercase letters, digits and special characters. The higher password complexity, the more difficult it is to hack the account.

Magento 2 password meter on the storefront

It’s very easy to configure the password strength meter in Magento 2. It has two options in the Magento 2 settings where you can change password complexity requirements. By default, Magento 2 requires a minimum of 8 letters of password length and 3 required character classes.

The classes of password requirements are the following:

  • Uppercase letters
  • Lowercase letters
  • Digits
  • Special characters

So, you can configure the password meter so it requires usage of at least two of four classes; for example, digits and lowercase (example1234), or uppercase and special characters (EX@MPLE!).

How to change the required password length:

  1. Go to Stores > Configuration > Customers > Customer Configuration > Password Options
  2. Change the value of the Minimum Password Length option
  3. Save settings
  4. Flush cache

The studies say that longer password is better than trickier but short password. So, we don’t recommend to decrease the minimum password length validation.

How to change the number of required classes:

  1. Go to Stores > Configuration > Customers > Customer Configuration > Password Options
  2. Change the value of the Number of Required Character Classes option
  3. Save settings
  4. Flush cache

The more classes you choose, the stronger the password. However, please keep in mind, that people can be unwilling to create a too difficult password, and thereby they may leave your website. You should think twice and set appropriate password constraints.

Magento 2 password meter settings

Useful information for technical specialists

Magento 2 platform uses ZXCVBN Javascript library for password validation. You can find it at vendor/magento/module-customer/view/frontend/web/js/zxcvbn.js

You can also find this online password strength validator helpful — https://www.bennish.net/password-strength-checker/. This tool also uses ZXCVBN library, and it can also calculate how much time will it take to crack any password.

Online password strength checker

If you need password strength meter for Magento 1.x, then you can explore our extension here. At this moment, we don’t plan to develop Password Strength Meter Magento 2 extension because M2 has this module out of the box. However, if you need more password options, you can contact us and let us know your requirements so we could know that such module can be in demand. The more votes we get, the more chances that we develop Advanced Password Strength Meter extension for Magento 2.

The password strength meter is displayed on the customer registration form, checkout, reset password form and in the account settings. You can learn how to add a password meter to the login form in this article.

Magento 2 Password Options

  • Password Reset Protection Type — this option defines the method to be used when password reset request occurs. For example, you can define whether IP is important. Or you can restrict the option so only admin users were allowed to reset customer passwords.
  • Max Number of Password Reset Requests — this option defines how many password reset requests can be processed within an hour.
  • Min Time Between Password Reset Requests — this option is for the delay between password reset requests (in minutes). By default, customers can request it again after 10 minutes.
  • Forgot Email Template — here you can select an email template that will be sent to customers when they forgot their passwords. Surely, you can specify templates for each store view thereby supporting multiple locales
  • Remind Email Template — this template will be sent to customer’s email with a hint to remind a password
  • Reset Password Template — this template will be used to change customer’s password
  • Password Template Email Sender — it defines a sender of password-related emails to customers.
  • Recovery Link Expiration Period (hours) — this option improves Magento 2 security by specifying a lifetime of password recovery links.
  • Number of Required Character Classes — this field is for a number of different classes that must be used in customer password during account signup.
  • Minimum Password Length — this option defines a minimum number of characters that must be used in customer password
  • Maximum Login Failures to Lockout Account — this option defines a number of failed login attempts after which an admin account will be locked.
  • Lockout Time (minutes) — this option defines a lockout time if Maximum Login Failures to Lockout Account option reached.

You can find the official info about Magento 2 password options here.

About the Author

Author Stanislav Golodov
Stanislav Golodov, Product Management & Marketing in PotatoCommerce

Stanislav has written most of PotatoCommerce blog posts. He belives that blog posts should be really helpful and be written primarily for people, not for Googlebot. Stanislav started working with Magento in 2011 as QA, and later as Product Manager. He joined PotatoCommerce in 2017, where he is responsible for marketing, web analytics, product specifications and finalizing the scope of our products and major extension updates.