Password Security Tweaks

Snitz™ Forums 2000
https://forum.snitz.com/forumTopic/Posts/66350?pagenum=1
04 November 2025, 21:41

Topic

muzishun
Password Security Tweaks
22 January 2008, 16:27


I've packaged up a couple of the security tweaks Shaggy and I discussed in the Password Salting thread, and I've added a bit of flair to them. The admin can now configure the minimum/maximum length of the passwords from the Main Forum Configuration. They can also toggle alphanumeric passwords on and off from there as well.
From the readme:
This miniMOD adds a few security enhancements to users' passwords. It gives the forum owner the ability to specify minimum and maximum password lengths, as well as other features.
Download from SnitzBitz.<

 

Replies ...

MarcelG
22 January 2008, 16:34


Nice one!<
muzishun
22 January 2008, 17:27


Thanks much. I'm really loving the amount of time that I can spend working on "side code" like Snitz while I'm at work. There is a lot of self-management, and as long as I'm getting all of my work done, I have a fair amount of leeway. It has definitely helped me start to catch up on "The List". wink<
MarcelG
23 January 2008, 01:18


I was in that position too for a while ; loved every day of it! bigsmile (20+ hours of Snitz in worktime a week, since the department I worked at had a Snitz based CMS system plus Snitz forum (which was btw caused by me too as I installed it between xmas and newyear bigsmile))<
Shaggy
23 January 2008, 04:37


Nicely done, Muz' smile Definitely one I'd recommend for inclusion in the base code once it's had a few test drives.
<
muzishun
23 January 2008, 08:26


Thanks much, Shaggy. As I said, I've had a lot more time to work on stuff lately, so I have been keeping track of the different threads where people talk about things that don't/should have MODs and using those as fuel for my coding energy.<
PPSSWeb
23 January 2008, 10:27


Great Idea! I can't wait until I have time to test it out. Thanks!<
muzishun
23 January 2008, 10:51


You're welcome.<
thelodger
23 January 2008, 14:29


Can I add this retrospective, I don’t want to add this excellent mod if it will affect the current members.<
muzishun
23 January 2008, 16:34


It will only affect current members if they change their password. It checks to see if they are changing their password in pop_profile.asp, and if they are, the new security measures are enforced. If not, their old password remains.<
thelodger
23 January 2008, 16:49


Great cheers, I will add it asap.<
modifichicci
23 February 2008, 17:23


I have tested it now. It works quite well, but there are some redundant error messages if a password is too short or if there is a number in the beginning.. so I have changed the routine checkink password in register and pop proile to avoid redundant error messages

I have changed
Code:
If strPassNum = 1 Then
				boolPwnumeric = 0
				For i = 0 To 9
					If InStr(strTempPass,i) <> 0 Then
						boolPwNumeric = 1
						Exit For
					End If
				Next
			End If
			If boolPwNumeric = 1 or strPassNum = 0 Then
				For i = 97 To 122
					If LCase(Left(strTempPass,1)) = Chr(i) Then
						boolPwletter = 1
						boolPwalpha = 1
						Exit For
					End If
				Next
			End If

to:

Code:
If strPassNum = 1 Then
				boolPwnumeric = 0
				For i = 0 To 9
				If LCase(Left(strTempPass,1)) = Chr(i) Then
					boolPwnumeric = 0
					
					       	Exit For
				elseIf InStr(strTempPass,i) <> 0 Then
						boolPwNumeric = 1
						Exit For
					End If
				Next
					For i = 97 To 122
					If LCase(Left(strTempPass,1)) = Chr(i) Then
						boolPwletter = 1
						boolPwalpha = 1
					       '	Exit For
					elseif InStr(strTempPass,Chr(i)) <> 0 Then
					boolPwalpha = 1
					End If
				Next
			else
			If boolPwNumeric = 1 or strPassNum = 0 Then
				For i = 97 To 122
					If LCase(Left(strTempPass,1)) = Chr(i) Then
						boolPwletter = 1
						boolPwalpha = 1
					       	Exit For
					elseif InStr(strTempPass,Chr(i)) <> 0 Then
					boolPwalpha = 1
					End If
				Next
			End If
                         end if

it seems working, but if someone has some better ideas he is welcome...<
modifichicci
24 February 2008, 01:24


In pop_profile we have to change lines 1365 - 1371 (around..) also, for admin password modification
Code:
if strAuthType = "db" then
					if trim(Request.Form("Password")) <> "" then 
						if Len(Request.Form("Password")) > 25 then 
							Err_Msg = Err_Msg & "<li>The Password can not be greater than 25 characters</li>" 
						end if
					end if
				end if

<
philsbbs
24 February 2008, 05:33


Installed and tested and works a treat.
Keep up the great work.<
muzishun
24 February 2008, 19:07


Thanks modifichicci and phil. Hopefully I will have time this week to make some updates to this and re-release it. Till then, I will assume the changes you have above are kosher and work well. smile<
Astralis
04 March 2008, 15:32


Muzishun,

Am I correct that this will only make new accounts have stronger passwords? While that's important, my real problem are the old accounts with weak passwords.<
AnonJr
04 March 2008, 15:57


Someone else has been working towards the same end. He'd added an extra field to the members table to record who's updated and who hasn't. In inc_header.asp he checked to see if they'd updated, and if they hadn't, they were re-directed to the profile page to update their profile.
You might want to look into something similar....<
modifichicci
04 March 2008, 16:09


or you can install password reset and change password of users
An email will be sent with new password and user can change it if he wants and the new one will be according to new settings

http://www.snitzbitz.com/mods/details.asp?Version=All&mid=105<
AnonJr
04 March 2008, 16:13


I'm not sure I'd want to go that route... someone may take advantage of it if you reset everyone's password to the same thing. And I'm not sure I'd want to reset that many unique passwords. tongue<
modifichicci
04 March 2008, 16:31


you reset each password not all the same, one by one.. you can invent so many password as you need.<
StephenD
04 March 2008, 17:02


I suppose you could also rehash the existing password one time only with a code change.<
AnonJr
04 March 2008, 17:31


Originally posted by modifichicci
you reset each password not all the same, one by one.. you can invent so many password as you need.
That's what I thought you meant. Gets kinda cumbersome after member 25.... winktongue<
natty
26 April 2008, 13:12


cool mod, but I'm getting the following error:

Microsoft VBScript compilation error '800a03ea'

Syntax error

/forums/admin_config_system.asp, line 245

'### start PWORD MOD###
^<
natty
26 April 2008, 13:22


okay, i fixed this by removing the &_ from the line above and adding Response.Write to the line below '### start PWORD MOD###

" <a href=""#top"">" & getCurrentIcon(strIconGoUp,"Go To Top Of Page","align=""right""") & "</a></font></td>" & vbNewLine '& _
'### start PWORD MOD### (commented out &_ above per this mod)
Response.Write " </tr>" & vbNewLine & _


I did the same at the end of the MOD. This solved the problem. However, I only did this because someone suggested I do this same thing when I was having a similar problem with another piece of code. I don't know ASP or VB and have no idea what this means or what I did. I'm glad I worked, but could someone please write on whether this is a viable solution? It fixed the problem, but I just want to make sure this was the correct thing to do in this case.<
AnonJr
28 April 2008, 09:30


Run through some of the tutorials here: http://www.w3schools.com/asp/

The "&" is used to concatenate two strings together. The "_" is used to indicate that the current line of instruction continues on the next line. So "& _" tells the interpreter that you want it to treat the next line like its part of this line.<
© 2000-2021 Snitz™ Communications