Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 MOD-Group
 MOD Add-On Forum (W/O Code)
 Member Password Security
 New Topic  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

StephenD
Senior Member

Australia
1044 Posts

Posted - 12 July 2004 :  19:14:28  Show Profile  Send StephenD a Yahoo! Message
Is there a way to force the password characteristics on registration and whenever a member chooses to change their password? Something like NT security. Password length must be minimum of say 8 characters and contain a combination of characters and numerals?

Has anyone done this before with Snitz?

StephenD
Senior Member

Australia
1044 Posts

Posted - 22 July 2004 :  03:27:26  Show Profile  Send StephenD a Yahoo! Message
Just moving up to top...

Would be something like :
if len(password)<8 then redirect back to register.asp?
Go to Top of Page

Shaggy
Support Moderator

Ireland
6780 Posts

Posted - 22 July 2004 :  07:25:40  Show Profile
For the length issue, all you'd need to do is add a check to one of the existing if statements in register.asp that checks password validity. Don't have exact line references but somewhere in or around line 256 look for the following code block and add the lines in green.
'## NT authentication no additional password needed
if strAuthType = "db" then
	if not IsValidString(trim(Request.Form("Password"))) then
		Err_Msg = Err_Msg & "<li>You may not use any of these chars in your password  !#$%^&*()=+{}[]|\;:/?>,<' </li>"
	end if

	if trim(Request.Form("Password")) = "" then
		Err_Msg = Err_Msg &  "<li>You must choose a Password</li>"
	end if

	if Len(Request.Form("Password")) < 8 or Len(Request.Form("Password")) > 25 then
		Err_Msg = Err_Msg & "<li>Your Password can not be less than 8 or greater than 25 characters</li>"
	end if

	if Request.Form("Password") <> Request.Form("Password2") then
		Err_Msg = Err_Msg & "<li>Your Passwords didn't match.</li>"
	end if
end if


<edit>Actually, you'd need to do the same in pop_profile.asp; there are a couple of occurrences of code similar to the above that should be easy enough to track down with a search.</edit>


Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.”

Edited by - Shaggy on 22 July 2004 07:27:18
Go to Top of Page

StephenD
Senior Member

Australia
1044 Posts

Posted - 22 July 2004 :  18:36:19  Show Profile  Send StephenD a Yahoo! Message
Excellent, thankyou.
Go to Top of Page

Shaggy
Support Moderator

Ireland
6780 Posts

Posted - 23 July 2004 :  06:23:24  Show Profile
You're welcome, Stephen. Another check you might want to add in there for additional security is if the password is the same as the username. Still trying to think of a viable way to check if the password contains a mix of alpha and numeric characters.


Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.”
Go to Top of Page

pknaz
Junior Member

USA
117 Posts

Posted - 04 August 2004 :  19:08:37  Show Profile  Visit pknaz's Homepage  Send pknaz an AOL message  Send pknaz an ICQ Message  Send pknaz a Yahoo! Message
You could use something like this to check for numeric characters, but I haven't done anything for alpha characters:

Dim frmPassword as string, frmPassword2 as string
frmPassword = Request.Form("Password")
frmPassword2 = Request.Form("Password2")
If Len(frmPassword) > 0 then
  Dim InstrTemp as int
  InstrTemp = 0
  for i = 0 to 9
    If InStr(frmPassword, CStr(i)) <> 0 then
      InstrTemp = InstrTemp + 1
    end if
  next
  If InstrTemp = 0 then
    Err_Msg = Err_Msg & "<li>Your Password does not contain any numeric characters.</li>"
  end if
end if

Edited by - pknaz on 04 August 2004 19:10:09
Go to Top of Page

StephenD
Senior Member

Australia
1044 Posts

Posted - 05 August 2004 :  01:08:09  Show Profile  Send StephenD a Yahoo! Message
Thanks pknaz, will it allow alpha characters too? I won't be able to test it till I get home tonight.
Go to Top of Page

OneWayMule
Dev. Team Member & Support Moderator

Austria
4969 Posts

Posted - 05 August 2004 :  03:19:07  Show Profile  Visit OneWayMule's Homepage  Send OneWayMule an ICQ Message
Yes, pknaz's script only checks if there is at least one numerical character contained in the password. If no, the error message is displayed.
The code doesn't disallow any characters.

My MODs:
Birthdays - Custom Policy - F.A.Q. Administration - Forum Rules - Guestbook
Links Manager - MyOwnGoogle - Profile Views - Search Log - WebSearch

Useful stuff:
Forum and MOD Installation - MOD Installation Guide - Snitz v3.4.05 Readme - Free ASP Hosts - Support Snitz
Go to Top of Page

Shaggy
Support Moderator

Ireland
6780 Posts

Posted - 05 August 2004 :  07:41:39  Show Profile
I've modified what Pknaz posted above to add a similar for/next loop to check for the presence of letters and clean up a few things. The code below can be added to the code I posted above; I'd suggest before the comaprisn between PAssword and Password2.
boolPwnumeric=0
boolPwalpha=0
for i=0 to 9
	if instr(trim(Request.Form("Password")),i)<>0 then
		boolPwNumeric=1
		exit for
	end if
next
for i=97 to 122
	if instr(trim(Request.Form("Password")),chr(i))<>0 or instr(trim(Request.Form("Password")),ucase(chr(i)))<>0 then
		boolPwalpha=1
		exit for
	end if
next
if boolPwnumeric=0 or boolPwalpha=0 then Err_Msg=Err_Msg&"<li>Your password must combination of alphanumeric characters.</li>"
Admittedly, it's not exactly the "prettiest" way of doing this, but it serves it's purpose.


Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.”
Go to Top of Page

Nertz
Junior Member

Canada
341 Posts

Posted - 05 August 2004 :  10:20:22  Show Profile
Shaggy, please excuse my ignorance as I'm new to ASP but always willing to learn. Hope this is not trivial and I didn't miss something somewhere.

In your check for illegal characters in the post above, the password is passed through the trim function which removes all leading and trailing spaces, defeating the check for invalid leading or trailing spaces in the IsValidString function. And even if passed the raw password, IsValidString function appears to check occurence of leading, trailing and double spaces only. Any space anywhere in the password should be illegal.

if instr(Request.Form("Password")," ")<> 0 then
Err_Msg = Err_Msg & "<li>Your Password cannot contain spaces.</li>"
end if

cheers,
Nat

Sadly, most Family Court Judges wrongfully reward opportunistic gold diggers
that use our children unjustly as "instruments" of power.


www.fathers-4-justice-canada.ca
Go to Top of Page

Shaggy
Support Moderator

Ireland
6780 Posts

Posted - 05 August 2004 :  12:33:54  Show Profile
IsValidString() checks for the presence of any special characters in the password field without removing any leading or trailing white space. For each subsequent check of the password field the value as originally entered by the user is retrieved.

And that's not a bad idea, checking for apaces within the password itself. Gimme a minute and I'll put all the code in this topic together in one easy to copy block.


Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.”
Go to Top of Page

Nertz
Junior Member

Canada
341 Posts

Posted - 05 August 2004 :  14:09:47  Show Profile
One final thought Shaggy. I think the first character in the password should be restricted to alpha only.


if instr("ABCDEFGHIJKLMNOPQRSTUVWXYZ", UCase(left(Request.Form("Password"),1))) = 0 then
	Err_Msg = Err_Msg & "<li>The Password's first character must be an alpha character.</li>"
end if


cheers,
Nat

Sadly, most Family Court Judges wrongfully reward opportunistic gold diggers
that use our children unjustly as "instruments" of power.


www.fathers-4-justice-canada.ca

Edited by - Nertz on 05 August 2004 14:13:02
Go to Top of Page

daniel123
Starting Member

21 Posts

Posted - 06 August 2004 :  04:01:34  Show Profile
is it possible for admin to view passwords of members?
Go to Top of Page

davemaxwell
Access 2000 Support Moderator

USA
3020 Posts

Posted - 06 August 2004 :  05:44:58  Show Profile  Visit davemaxwell's Homepage  Send davemaxwell an AOL message  Send davemaxwell an ICQ Message  Send davemaxwell a Yahoo! Message
quote:
Originally posted by daniel123

is it possible for admin to view passwords of members?



NO. They are encrypted for just that reason. The use can use the "forgot password" link or the admin can change the password to something else, but there is no good reason for an admin to be able to see passwords.

Dave Maxwell
Barbershop Harmony Freak
Go to Top of Page

Shaggy
Support Moderator

Ireland
6780 Posts

Posted - 06 August 2004 :  06:59:07  Show Profile
Sorry, didn't realise how late it was when i posted yesterday; had to run. Here's all the code and checks that have been mentioned so far in this topic including a checks for:
- Spaces
- "Special" characters
- Password length
- A mix of alphanumeric characters
- Passwords that don't start with a letter
- Passwords that are the same as the username
- Password fields that don't match each other.

You'll also need to do something similar in pop_profile.asp; if anyone needs the axact code changes, post back and I'll lash 'em together.
Also, please bear in mind that I haven't fully tested this code yet.

The following replaces the entire if statement beginning on line 256 of register.asp.
'## NT authentication no additional password needed
'## Modified by Shaggy with assistance from pknaz and Nertz
if strAuthType = "db" then
	'## create variable to hold password
	dim boolPwalpha,boolPwletter,boolPwnumeric,strTempPass
	strTempPass=trim(request.form("password"))
	'## check for presence of "special" characters or spaces
	if not IsValidString(strTempPass) or instr(strTempPass," ")<>0 then Err_Msg=Err_Msg&"<li>You may not use spaces nor any of these characters in your password !#$%^&*()=+{}[]|\;:/?>,<'""</li>"
	'## redundant due to the check below
'	if strTempPass="" then Err_Msg=Err_Msg&"<li>You must choose a Password</li>"
	'## check password length. change eight for minimum allowed chracters and 25 for maximum allowed
	if len(strTempPass)<8 or len(strTempPass)>25 then Err_Msg=Err_Msg&"<li>Your Password can not be less than 8 nor greater than 25 characters.</li>"
	'## check password contains both alpha and numeric chracters
	boolPwnumeric=0
	'## comment/delete 1 line below to remove check for first chracter being alpha
	boolPwletter=0
	boolPwalpha=0
	for i=0 to 9
		if instr(strTempPass,i)<>0 then
			boolPwNumeric=1
			exit for
		end if
	next
	if boolPwNumeric=1 then
		for i=97 to 122
			'## comment/delete 5 lines below to remove check for first chracter being alpha
			if lcase(left(strTempPass,1))=chr(i) then
				boolPwletter=1
				boolPwalpha=1
				exit for
			end if
			'##
			if instr(lcase(strTempPass),chr(i))<>0 then
				boolPwalpha=1
				exit for
			end if
		next
	end if
	'## comment/delete 1 line below to remove check for first chracter being alpha
	if boolPwletter=0 then Err_Msg=Err_Msg&"<li>The first chracter of your password must be a letter.</li>"
	if boolPwnumeric=0 or boolPwalpha=0 then Err_Msg=Err_Msg&"<li>Your password must contain combination of alphanumeric characters and begin with a letter.</li>"
	'##
	'## check password is not the same as username
	if strTempPass=trim(Request.Form("Name")) then Err_Msg=Err_Msg&"<li>Your password cannot be the same as your username.</li>"
	'## chcek both password fields match
	if strTempPass<>trim(Request.Form("Password2")) then Err_Msg=Err_Msg&"<li>Your Passwords didn't match.</li>"
end if
'## end Shaggy's modifications
<edits>
10-08-04: created a variable to hold password
11-08-04: moved the check for the first character being a letter
11-08-04: declared additional variables
11-08-04: trimmed the passowrd when requesting it
11-08-04: added trim to password 2
24-08-04: updated to include changes detailed here.
</edits>


Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.”

Edited by - Shaggy on 24 August 2004 06:50:50
Go to Top of Page

daniel123
Starting Member

21 Posts

Posted - 06 August 2004 :  17:04:54  Show Profile
quote:
Originally posted by davemaxwell

quote:
Originally posted by daniel123

is it possible for admin to view passwords of members?



NO. They are encrypted for just that reason. The use can use the "forgot password" link or the admin can change the password to something else, but there is no good reason for an admin to be able to see passwords.




there is such mod available at shnforum.com
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.37 seconds. Powered By: Snitz Forums 2000 Version 3.4.07