In this scenario, assume you have a Member with control panel access – “joe” – whose password is “Pass1234”. When his account was created, the minimum password length for the site was 8 characters.

Now a Super Admin changes the minimum password length to be 12 characters to enhance security.

“joe” tries to log in, but the CP login takes him to a page that says

> New Access Requirements > !! The administrator has changed the access requirements for this site. > Passwords must be at least 12 characters in length

This page is located at /admin.php?/cp/login/authenticate

“joe” enters his current password and types his new password twice, ensuring that it meets the new requirements. Then he clicks “UPDATE”.

This takes him back to /admin.php?/cp/login and shows him a login prompt with the message “!! Your settings have been updated. You may now log-in.”

“joe” attempts a login with his new password, but gets a failure message: “!! That is the wrong username or password”

If “joe” attempts to login with his old password, it is successful, but goes back through the loop asking him to update his password due to new requirements.

Upon inspection of the “exp_members” table, it appears that the password is not being updated through this UX flow.