Updates to both Free and Pro versions of the Password Policy & Complexity Requirements plugin have been released and are available for download, introducing a new “Maximum password length” option.
The new option is enabled by default with a value of 256 characters, but it can be adjusted per policy or disabled if needed.
One of the users requested this new feature to support the organization’s security policy. It is related to preventing the potential denial-of-service attack on the server caused by a vulnerable password hashing implementation. With unnaturally long passwords used by hackers, the password hashing process could result in CPU and memory exhaustion, and the new option we introduce in this release prevents that risk for all sites using our plugin.
Besides that, we implemented regular code improvements and shared dependency updates, as well as confirmed compatibility with WordPress 6.8 (an upcoming major release).
For questions and help about these releases, please get in touch with our support team.