| Author |
 Topic  |
|
StephenD
Senior Member
Australia
1044 Posts |
 Posted - 06 August 2004 : 22:46:39
|
Thanks Shaggy, pknaz, Nertz. Great work
I'm testing at the moment in pop_profile.asp. I get the following error when trying to test any password against any of the conditions:
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'IsValidString'
/pop_profile.asp, line 1211
if strAuthType = "db" then
'## check for presence of "special" characters or spaces
if not IsValidString(trim(Request.Form("Password"))) or instr(trim(Request.Form("Password")), " ") <> 0 then Err_Msg = Err_Msg & "<li>You may not use spaces nor any of these characters in your password !#$%^&*()=+{}[]|\;:/?>,<' </li>" |
 |
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 06 August 2004 : 23:21:13
|
Testing on register.asp
Check for password same as username works
Check for password less than 8 characters works
Check for numerals within password does not work - passes registration ok
Check for numeral as 1st character does not work - passes registration ok
Ignore my error for pop_profile.asp, I simply pasted the block of code above over the 2 occurrences of the password checks I found on the page which was probably incorrect.
|
Edited by - StephenD on 06 August 2004 23:22:33 |
|
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 07 August 2004 : 23:42:26
|
I was just thinking of a way of implementing this on a live forum and came up with the following idea:
1. Get the encrypted key of a password known to you (your own) out of the DB or your own cookie.
2. Send an email out to all members or post a news topic advising of a change of password security policy with a date/time for when it goes into effect.
3. Close the forum down and backup the DB.
4. Use osql or admin_mod_dbsetup to update the members table and set all members passwords to this key.
5. Assuming we had applied this mod to password.asp too (guys  ) put a temporary message above the 'forgot your password' link in logon.asp and inc_header.asp stating the new security policy is now in effect.
6. Reopen Forum.
Anyone see any problems with this? |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 08 August 2004 : 01:16:39
|
quote:
Originally posted by daniel123
there is such mod available at shnforum.com
That mod stores the users password at registration time and when editing thier profile, before thier password is encrypted.
If I found out the administrator of a forum I participate in, did that, I would leave immediately. I wouldn't sign up at any forum that practiced keeping my password in clear text in the database just so the admin can see my password when he feels like it.  |
Support Snitz Forums
|
|
|
|
pknaz
Junior Member
USA
117 Posts |
Posted - 09 August 2004 : 12:36:34
|
Hi Shaggy,
One suggestion I have is to store [Request.Form("Password")] as a variable, and call that variable throughout your script. This improves the performance and scalability of your scripting.
Otherwise, great work |
Edited by - pknaz on 09 August 2004 12:37:04 |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 10 August 2004 : 05:03:05
|
Good idea, Pknaz. There's some things you don't think of after you've been working with Snitz for a while! 
Edited my post above with the necessary changes.
|
 Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 10 August 2004 : 16:50:49
|
Thanks Shaggy,
Actually, the check for a combination of alpha-numeric password or alpha as first character works when you remove this part of the code
'## remove " or lcase(left(trim(strTempPass),1)) <> i" below if first chracter does not need to be alpha
Fantastic, going to play with password.asp now.
|
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 11 August 2004 : 04:45:43
|
Was that comment causing problems?
|
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
StephenD
Senior Member
Australia
1044 Posts |
Posted - 11 August 2004 : 19:44:04
|
| It was just this bit: or lcase(left(trim(strTempPass),1)) <> i which needed to be removed from the line below the commented line for the numeral checks to work? |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 12 August 2004 : 06:23:11
|
The numerical check didn't work with that included in the if statment? That's odd. Anyway, I've edited the code above to make it easier to remove the check for the first charcter being alpha which should resolve any problems there.
|
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 24 August 2004 : 06:52:09
|
Updated the code above to include the changes Richard detailed here. You'll still need to make the change to line 235 yourself.
|
Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
Topic |
|
Topic Locked
