Add notes about not all password strength drivers supporting score up…

… to 5 (#9751)
roundcube · Jan 26, 2025 · fa1f3bd · fa1f3bd
1 parent 454a6e1
commit fa1f3bd
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/plugins/password/README b/plugins/password/README
@@ -446,14 +446,14 @@
 
  Driver using "Have I been pwned?" (https://haveibeenpwned.com/Passwords) API to
  check that entered passwords aren't already compromised (i.e., commonly known).
- The check is performed locally, the actual password is *not* transmitted anywhere else.
+ The check is performed locally, the actual password is *not* transmitted anywhere.
 
  Example configuration:
 
  $config['password_strength_driver'] = 'pwned';
  $config['password_minimum_score'] = 3;
 
- See the driver implementation file for more documentation.
+ Maximum supported score for this driver is 3. See the driver implementation file for more documentation.
 
 
  3. Driver API

diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist
@@ -22,6 +22,7 @@ $config['password_minimum_length'] = 8;
 
 // Require the new password to have at least the specified strength score.
 // Note: Password strength is scored from 1 (week) to 5 (strong).
+// Note: Some strength drivers (e.g. pwned) do not support full range.
 $config['password_minimum_score'] = 0;
 
 // Enables logging of password changes into logs/password