| Author |
 Topic  |
|
StephenD
Senior Member
Australia
1044 Posts |
 Posted - 12 July 2004 : 19:14:28
|
Is there a way to force the password characteristics on registration and whenever a member chooses to change their password? Something like NT security. Password length must be minimum of say 8 characters and contain a combination of characters and numerals?
Has anyone done this before with Snitz? |
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 22 July 2004 : 03:27:26
|
Just moving up to top...
Would be something like :
if len(password)<8 then redirect back to register.asp? |
 |
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 22 July 2004 : 07:25:40
|
For the length issue, all you'd need to do is add a check to one of the existing if statements in register.asp that checks password validity. Don't have exact line references but somewhere in or around line 256 look for the following code block and add the lines in green.'## NT authentication no additional password needed
if strAuthType = "db" then
if not IsValidString(trim(Request.Form("Password"))) then
Err_Msg = Err_Msg & "<li>You may not use any of these chars in your password !#$%^&*()=+{}[]|\;:/?>,<' </li>"
end if
if trim(Request.Form("Password")) = "" then
Err_Msg = Err_Msg & "<li>You must choose a Password</li>"
end if
if Len(Request.Form("Password")) < 8 or Len(Request.Form("Password")) > 25 then
Err_Msg = Err_Msg & "<li>Your Password can not be less than 8 or greater than 25 characters</li>"
end if
if Request.Form("Password") <> Request.Form("Password2") then
Err_Msg = Err_Msg & "<li>Your Passwords didn't match.</li>"
end if
end if
<edit>Actually, you'd need to do the same in pop_profile.asp; there are a couple of occurrences of code similar to the above that should be easy enough to track down with a search.</edit>
|
 Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
Edited by - Shaggy on 22 July 2004 07:27:18 |
|
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 22 July 2004 : 18:36:19
|
| Excellent, thankyou. |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 23 July 2004 : 06:23:24
|
You're welcome, Stephen.  Another check you might want to add in there for additional security is if the password is the same as the username. Still trying to think of a viable way to check if the password contains a mix of alpha and numeric characters.
|
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
pknaz
Junior Member
USA
117 Posts |
Posted - 04 August 2004 : 19:08:37
|
You could use something like this to check for numeric characters, but I haven't done anything for alpha characters:
Dim frmPassword as string, frmPassword2 as string
frmPassword = Request.Form("Password")
frmPassword2 = Request.Form("Password2")
If Len(frmPassword) > 0 then
Dim InstrTemp as int
InstrTemp = 0
for i = 0 to 9
If InStr(frmPassword, CStr(i)) <> 0 then
InstrTemp = InstrTemp + 1
end if
next
If InstrTemp = 0 then
Err_Msg = Err_Msg & "<li>Your Password does not contain any numeric characters.</li>"
end if
end if
|
Edited by - pknaz on 04 August 2004 19:10:09 |
|
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 05 August 2004 : 01:08:09
|
| Thanks pknaz, will it allow alpha characters too? I won't be able to test it till I get home tonight. |
|
|
|
OneWayMule
Dev. Team Member & Support Moderator
Austria
4969 Posts |
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 05 August 2004 : 07:41:39
|
I've modified what Pknaz posted above to add a similar for/next loop to check for the presence of letters and clean up a few things. The code below can be added to the code I posted above; I'd suggest before the comaprisn between PAssword and Password2.boolPwnumeric=0
boolPwalpha=0
for i=0 to 9
if instr(trim(Request.Form("Password")),i)<>0 then
boolPwNumeric=1
exit for
end if
next
for i=97 to 122
if instr(trim(Request.Form("Password")),chr(i))<>0 or instr(trim(Request.Form("Password")),ucase(chr(i)))<>0 then
boolPwalpha=1
exit for
end if
next
if boolPwnumeric=0 or boolPwalpha=0 then Err_Msg=Err_Msg&"<li>Your password must combination of alphanumeric characters.</li>"Admittedly, it's not exactly the "prettiest" way of doing this, but it serves it's purpose.
|
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
Nertz
Junior Member
Canada
341 Posts |
Posted - 05 August 2004 : 10:20:22
|
Shaggy, please excuse my ignorance as I'm new to ASP but always willing to learn. Hope this is not trivial and I didn't miss something somewhere.
In your check for illegal characters in the post above, the password is passed through the trim function which removes all leading and trailing spaces, defeating the check for invalid leading or trailing spaces in the IsValidString function. And even if passed the raw password, IsValidString function appears to check occurence of leading, trailing and double spaces only. Any space anywhere in the password should be illegal.
if instr(Request.Form("Password")," ")<> 0 then
Err_Msg = Err_Msg & "<li>Your Password cannot contain spaces.</li>"
end if
cheers,
Nat
|
Sadly, most Family Court Judges wrongfully reward opportunistic gold diggers
that use our children unjustly as "instruments" of power.
www.fathers-4-justice-canada.ca |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 05 August 2004 : 12:33:54
|
IsValidString() checks for the presence of any special characters in the password field without removing any leading or trailing white space. For each subsequent check of the password field the value as originally entered by the user is retrieved.
And that's not a bad idea, checking for apaces within the password itself. Gimme a minute and I'll put all the code in this topic together in one easy to copy block.
|
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
Nertz
Junior Member
Canada
341 Posts |
Posted - 05 August 2004 : 14:09:47
|
One final thought Shaggy. I think the first character in the password should be restricted to alpha only.
if instr("ABCDEFGHIJKLMNOPQRSTUVWXYZ", UCase(left(Request.Form("Password"),1))) = 0 then
Err_Msg = Err_Msg & "<li>The Password's first character must be an alpha character.</li>"
end if
cheers,
Nat |
Sadly, most Family Court Judges wrongfully reward opportunistic gold diggers
that use our children unjustly as "instruments" of power.
www.fathers-4-justice-canada.ca |
Edited by - Nertz on 05 August 2004 14:13:02 |
|
|
|
daniel123
Starting Member
21 Posts |
Posted - 06 August 2004 : 04:01:34
|
| is it possible for admin to view passwords of members? |
|
|
|
davemaxwell
Access 2000 Support Moderator
USA
3020 Posts |
Posted - 06 August 2004 : 05:44:58
|
quote:
Originally posted by daniel123
is it possible for admin to view passwords of members?
NO. They are encrypted for just that reason. The use can use the "forgot password" link or the admin can change the password to something else, but there is no good reason for an admin to be able to see passwords. |
Dave Maxwell
Barbershop Harmony Freak |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 06 August 2004 : 06:59:07
|
Sorry, didn't realise how late it was when i posted yesterday; had to run. Here's all the code and checks that have been mentioned so far in this topic including a checks for:
- Spaces
- "Special" characters
- Password length
- A mix of alphanumeric characters
- Passwords that don't start with a letter
- Passwords that are the same as the username
- Password fields that don't match each other.
You'll also need to do something similar in pop_profile.asp; if anyone needs the axact code changes, post back and I'll lash 'em together.
Also, please bear in mind that I haven't fully tested this code yet.
The following replaces the entire if statement beginning on line 256 of register.asp.'## NT authentication no additional password needed
'## Modified by Shaggy with assistance from pknaz and Nertz
if strAuthType = "db" then
'## create variable to hold password
dim boolPwalpha,boolPwletter,boolPwnumeric,strTempPass
strTempPass=trim(request.form("password"))
'## check for presence of "special" characters or spaces
if not IsValidString(strTempPass) or instr(strTempPass," ")<>0 then Err_Msg=Err_Msg&"<li>You may not use spaces nor any of these characters in your password !#$%^&*()=+{}[]|\;:/?>,<'""</li>"
'## redundant due to the check below
' if strTempPass="" then Err_Msg=Err_Msg&"<li>You must choose a Password</li>"
'## check password length. change eight for minimum allowed chracters and 25 for maximum allowed
if len(strTempPass)<8 or len(strTempPass)>25 then Err_Msg=Err_Msg&"<li>Your Password can not be less than 8 nor greater than 25 characters.</li>"
'## check password contains both alpha and numeric chracters
boolPwnumeric=0
'## comment/delete 1 line below to remove check for first chracter being alpha
boolPwletter=0
boolPwalpha=0
for i=0 to 9
if instr(strTempPass,i)<>0 then
boolPwNumeric=1
exit for
end if
next
if boolPwNumeric=1 then
for i=97 to 122
'## comment/delete 5 lines below to remove check for first chracter being alpha
if lcase(left(strTempPass,1))=chr(i) then
boolPwletter=1
boolPwalpha=1
exit for
end if
'##
if instr(lcase(strTempPass),chr(i))<>0 then
boolPwalpha=1
exit for
end if
next
end if
'## comment/delete 1 line below to remove check for first chracter being alpha
if boolPwletter=0 then Err_Msg=Err_Msg&"<li>The first chracter of your password must be a letter.</li>"
if boolPwnumeric=0 or boolPwalpha=0 then Err_Msg=Err_Msg&"<li>Your password must contain combination of alphanumeric characters and begin with a letter.</li>"
'##
'## check password is not the same as username
if strTempPass=trim(Request.Form("Name")) then Err_Msg=Err_Msg&"<li>Your password cannot be the same as your username.</li>"
'## chcek both password fields match
if strTempPass<>trim(Request.Form("Password2")) then Err_Msg=Err_Msg&"<li>Your Passwords didn't match.</li>"
end if
'## end Shaggy's modifications<edits>
10-08-04: created a variable to hold password
11-08-04: moved the check for the first character being a letter
11-08-04: declared additional variables
11-08-04: trimmed the passowrd when requesting it
11-08-04: added trim to password 2
24-08-04: updated to include changes detailed here.
</edits>
|
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
Edited by - Shaggy on 24 August 2004 06:50:50 |
|
|
|
daniel123
Starting Member
21 Posts |
Posted - 06 August 2004 : 17:04:54
|
quote:
Originally posted by davemaxwell
quote:
Originally posted by daniel123
is it possible for admin to view passwords of members?
NO. They are encrypted for just that reason. The use can use the "forgot password" link or the admin can change the password to something else, but there is no good reason for an admin to be able to see passwords.
there is such mod available at shnforum.com |
|
|
|
Topic |
|
Topic Locked
