What I’m trying to do:
I want to require users to choose secure passwords when they log in.
What I’ve tried and what’s not working:
In the Users menu under Login Options I have checked Require secure passwordsand nothing seems to be happening when I add new users and they create their passwords for the first time; they can still log in using insecure passwords.
I looked in the Anvil Docs for this feature, but the description provided didn’t help me. And there was another entry in this forum from 2022 that addressed the same topic, but the forum user’s query was never answered.
I’m a beginning programmer and I didn’t code the server modules that deal with the log in procedures. Like the person who asked this question in the forum before, it may be that we have custom log in code for the app that’s bypassing this feature.
Any hints for what to try or suggestions for troubleshooting would be greatly appreciated. Thanks!
That was generated with anvil.users.login_with_form() and then choosing Sign Up and entering a simple password that’s been leaked online (e.g. ‘password’)
Hi Jay,
Thank you for your rapid reply and example. I am checking the box in the User service, but I’m not choosing Sign Up through anvil.users.login_with_form(). As you suggest, I’ll step through our sign-up sequence to see what’s happening.
If you want to roll your own signup, the only thing “Require secure passwords” actually does in Anvil at the JVM/Clojure code level is make sure the password has more than seven characters, and passes the API check of https://haveibeenpwned.com/
The hibp API is super simple to use, and does not require you to send the password in the clear (it uses a partial hash check against a list of hashes to return True/False).
