Registration Settings

This page walks through every option on Admin Dashboard → Settings → Registration & Password Settings, in the same order you see them in the dashboard. To customize the registration fields (collect a phone number, a company, anything beyond the defaults), install the User Info plugin from Spice Shaker.

1. 01 Registration

   Registration controls

   Allow New User Registration

   The master kill-switch. When off, the join page is replaced with a "registration is not available" message and the OAuth (social login) signup flow refuses to create new users too. The message itself lives in users/views/_joinDisabled.php — copy it to usersc/views/_joinDisabled.php if you want to customize it.

   Registration Vericode Expiry (hours)

   How long a new-user verification code remains valid after it's sent. After this many hours the code expires and the user has to request a new one. Maximum is 999,999,999 hours, so practically unlimited.

   Allow Users to Change Their Usernames

   Three modes:

   • ✓Disabled — the username chosen at registration is permanent.
   • ✓Enabled — users can change their username freely from their account settings.
   • ✓Only once — every user gets exactly one rename, then the field locks.

   Force Users to Validate Their Emails After Registering

   The toggle for this lives on the Email Settings page (since it depends on a working email configuration). The Registration page just notes this and links over.

   Password Reset Vericode Expiry (minutes)

   How long a password-reset link remains valid after a user requests one. Shorter is more secure (a leaked email can't be cashed in months later) but more annoying if the user doesn't notice the email immediately. Maximum is 999,999,999 minutes.

   Minimum / Maximum Username Length

   Both bounded between 1 and 255 characters. Set whatever fits your project — most sites use a minimum of 3–4 and a maximum of 20–30.

2. 02 Two layers

   How the password meter works

   UserSpice's password rules have two layers that work together:

   • 1The meter — visual guidance shown to the user as they type. It's coaching, not a hard gate.
   • 2Enforcement — a server-side check on submit that catches anyone who tampered with the JavaScript.

   Enforcement does nothing if the meter is hidden. If the rules are enforced silently, the user has no idea why their password was rejected. So always either (a) hide both, (b) show both, or (c) show the meter without enforcement (advisory mode). Enforcement is on the join form only — other forms (admin-created users, password resets) skip it to avoid surprising side effects.

   Show Password Meter

   Renders the live strength indicator and rule checklist on the join form.

   Enforce Password Rules

   Disables the join form's submit button until rules are met, and re-validates on submit.

3. 03 Character requirements

   Required character types

   Each toggle adds one rule the password must satisfy when enforcement is on:

   • Require a Number
   • Require a Capital Letter
   • Require a Lowercase Letter
   • Require a Symbol

   Minimum / Maximum Password Length

   Both bounded 4–150 characters. The minimum is a hard floor — even a high-scoring password is rejected if it's shorter than this.

4. 04 Scoring

   The point-based scoring system

   On top of the character-type rules, UserSpice runs a scoring system. Each character class and length tier contributes points; the password's total has to clear the minimum score. Scores are capped at 100 — anything higher is rounded down.

   Minimum Password Score

   75 is the recommended floor. The reason: if a password meets the point total but fails one of the required-character rules above, the calculator caps it at 74 instead. A minimum of 75 guarantees you can't squeak through with a long all-numbers password when you required uppercase + symbols.

   If you want to bypass this protection — for example, to allow passwordless or numeric PINs — set the minimum to 74 or lower, or override userSpicePasswordScore() in usersc/includes/custom_functions.php.

   Per-character-class scores

   Five values (1–100 each) that determine how much each character class is worth toward the total:

   • Number Score
   • Uppercase Letter Score
   • Lowercase Letter Score
   • Symbol Score
   • Bonus Score for > 8 chars
   • Bonus Score for > 12 chars
   • Bonus Score for > 16 chars

   The defaults UserSpice ships are reasonable for most projects — only tweak these if you have a specific reason (a high-security app may want to weight length more; a low-friction consumer app may want symbols to count more so users don't need to type them).

5. 05 Live tester

   Sample password score tester

   The bottom of the Registration page has a live tester — type a candidate password and watch the meter score it against your current settings. Tweak the rules and scores until real-world passwords from your users score the way you want them to. The tester forces the meter on for the demo, even if you've turned the meter off site-wide.

6. 06 Custom fields

   Adding fields to the registration form

   The Registration Settings page itself doesn't customize the fields on the join form. For that, install the User Info plugin from Spice Shaker (or from the addons store at bugs.userspice.com). It lets you add, reorder, validate, and require additional fields on the registration form, then surfaces them on the user profile and admin user editor.