Hello,
Currently, there is no validation mechanism for user passwords, except
checking that they are at least 6 characters long. This allows very weak
passwords to be used, this can be a security issue.
We (inria) would like to add at least some basic password validation.
I've added simple password validation which ensures that passwords
contain at least one lower case letter, one upper case, one digit, and
one non-alphanumeric char. This is checked both when creating an account
or when changing an account's password. Additionally, as this may cause
some problems for particular fusionforge instances, I've added a config
option (check_password_strength boolean) to deactivate this validation.
patch attached.
cheers !
--
Matthieu Imbert <matthieu.imb...@inria.fr>
http://graal.ens-lyon.fr/~mimbert/
INRIA / LIP ENS-Lyon / INSA CITI research engineer
http://www.inria.fr http://www.ens-lyon.fr/LIP http://www.citi-lab.fr
+33(0)472728149 / +33(0)472437307
Monod campus, room GN1 Nord 3.52
LIP ENS-Lyon, 46 allée d'Italie
69364 Lyon cedex 07, FRANCE
CITI Lab, INSA Lyon, Domaine Scientifique de la Doua
Batiment Claude Chappe, room TLC 238
6 avenue des Arts, 69621 Villeurbanne, FRANCE
>From 0136e08d486aaedb6159968290873b789a4e1926 Mon Sep 17 00:00:00 2001
From: Matthieu Imbert <matthieu.imb...@inria.fr>
Date: Mon, 8 Aug 2016 17:02:10 +0200
Subject: [PATCH] add simple password validation
---
src/common/include/account.php | 33 +++++++++++++++++++++++++++++++++
src/www/account/change_pw.php | 5 -----
2 files changed, 33 insertions(+), 5 deletions(-)
diff --git a/src/common/include/account.php b/src/common/include/account.php
index bd77498..43e4725 100644
--- a/src/common/include/account.php
+++ b/src/common/include/account.php
@@ -23,6 +23,33 @@
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
+forge_define_config_item('check_password_strength', 'core', 'true');
+forge_set_config_item_bool('check_password_strength', 'core');
+
+/**
+ * pw_weak() - checks if password is weak
+ *
+ * @param string $pw the password
+ * @return false if password ok, string with description of problem if password ko.
+ *
+ */
+function pw_weak($pw) {
+ // password ok if contains at least 1 uppercase letter, 1 lowercase, 1 digit and 1 non-alphanumeric
+ if (!preg_match('/[[:lower:]]/', $pw)) {
+ return _("Must contain at least one lowercase letter.");
+ }
+ if (!preg_match('/[[:upper:]]/', $pw)) {
+ return _("Must contain at least one uppercase letter.");
+ }
+ if (!preg_match('/[[:digit:]]/', $pw)) {
+ return _("Must contain at least one digit.");
+ }
+ if (!preg_match('/[^[:alnum:]]/', $pw)) {
+ return _("Must contain at least one non-alphanumeric character.");
+ }
+ return false;
+}
+
/**
* account_pwvalid() - Validates a password
*
@@ -35,6 +62,12 @@ function account_pwvalid($pw) {
$GLOBALS['register_error'] = _('Password must be at least 6 characters.');
return 0;
}
+ if (forge_get_config('check_password_strength')) {
+ if ($msg = pw_weak($pw)) {
+ $GLOBALS['register_error'] = $msg;
+ return 0;
+ }
+ }
return 1;
}
diff --git a/src/www/account/change_pw.php b/src/www/account/change_pw.php
index 75c7504..14bf507 100644
--- a/src/www/account/change_pw.php
+++ b/src/www/account/change_pw.php
@@ -51,11 +51,6 @@ if (getStringFromRequest('submit')) {
exit_error(_('Old password is incorrect'),'my');
}
- if (strlen($passwd)<6) {
- form_release_key(getStringFromRequest('form_key'));
- exit_error(_('You must supply valid password (at least 6 chars).'),'my');
- }
-
if ($passwd != $passwd2) {
form_release_key(getStringFromRequest('form_key'));
exit_error(_('New passwords do not match.'),'my');
--
2.8.1
_______________________________________________
Fusionforge-general mailing list
Fusionforge-general@lists.fusionforge.org
http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-general
