@tibor.pacalat: This issue was also reported at the recent pentest results.

Expected result
Insecure passwords are allowed
What ?

I think it must be Apply password rules defined at PasswordRequirement plugin as Expected result, no ?

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=36649

Have a white page here
And don't found the commit on https://github.com/LimeSurvey/LimeSurvey/commits/master/

@c_schmitz I think your fix link is wrong here, it seems to be theme related and has nothing to do with the password details?!

Dudes, give me a breather here. I just corrected it.

Problem is that we have two way of settings password requirement:

1.) Editing personald settings: Setting in config.php using

$config['passwordValidationRules'] = array(
'min' => 4,
'max' => 0,
'lower' => 0,
'upper' => 0,
'numeric' => 0,
'symbol' => 0,
);

2.) Editing a user: PasswordRequirement plugin

We should decide for one of the two ways and remove the other.

If we pick 1.) I think the plugin should be activated by default.

if we pick 2.) then we need to create settings in global settings

We should decide for one of the two ways and remove the other.

PasswordRequirement didn't use passwordValidationRules for default if not edited ?

It's the default behavior of Global Settings currently

1. Get for config-default
2. Get for config if exist
3. Get from DB if exist

I think it's the best way, no ?

No, as far as I can see passwordvalidation rules are not used anywhere else but in personal settings.

I also vote for checking config-defaults, overwrite by config.php, overwrite by plugin. That's how it usually works.
In general, the plugin is easier to use for admins compared to changing config files. So that would be my preferred solution.

https://github.com/LimeSurvey/LimeSurvey/pull/4048

Looking at code : seems plugins and core do the same things ?

yeah. that's what I meant.

I refactored it so the core code is used everywhere and it is also calling the plugin event.

Your update was great