Enforce password strength
By Alexandre Cayer on Sunday, 19 October 2014
Posted in General Issues
Likes 0
Views 550
Votes 0
HI Mark, Jason,

I was working on setting up profile on new version and while on the joomla_password custom field, I saw that we could display the password strength but not enforce it. I would have client to enforce at least a STRONG PASSWORD on their password creation... considering the iCloud password fail and the sensitivity of the information my client could post, the first step would at least to control how bad they set their password to.

Could we set a client-side verification to bind the .password_strength_* to a certain int (1,5?) and that if incorrect the form switches to invalid.

As a server side, I suppose we could add a simple check to private function validatePassword($input, $reconfirm) if this is active and if it returns a greater or equal value to the parameter set.

a) However, for the client-side, your form validation seems to be a mix of validateJS and Parseley but I'm not quite sure how to set it properly.

b) I guess that the password_strength is only currently setup on JS and not PHP (i didn't find the JS script - wasn't at media/com_easysocial/apps/fields/user/joomla_password/). Therefore, I'm not quite sure how to do this without the script.

Could you help tweaking this future, which could be a great add to next 1.3.* version.

Thanks

EDIT:
I have gone about 2 hours without success however,
I have found the Foundry passwordstrength.js file and /public_html/media/com_easysocial/scripts/apps/fields/user/joomla_password/(content.js)

I have tried to modify the content.js to include a new rule but even if i clear file, try in a new device or any other matter, it is not working. I have even try to delete all files in the folder and the verification was still working !?!?! I'm a little bit lost since enabling such function shouldn't be complicated but the whole system make me pulling out my hair out :/
Just tested this and it's fine. Please see my screen shot here, http://screen.stackideas.com/2014-10-22_2328.png . I have left the codes in the joomla_password.php file
Mark
·
Wednesday, 22 October 2014 23:28
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Alexandre,

I am really sorry but unfortunately at this point of time, it is not possible to enforce this. If you want to check for the password strength within PHP, you need to edit the file /media/com_easysocial/apps/fields/user/joomla_password/joomla_password.php
Mark
·
Sunday, 19 October 2014 22:24
·
0 Likes
·
0 Votes
·
0 Comments
·
Mark,

How come that still registers when everything return false... so complicate for such a simple thing...
Would have had a $password_strength_min in conf file, get the value and return false if $password_strength_min smaller than $val.
Whatever... if you could get something working before ES 1.4 lollll



private function validatePassword($input, $reconfirm)

	{

		$len = strlen($input);

		$nums = preg_match_all("/\d",$input);

		$lowers = preg_match_all("/[a-z]",$input);

		$uppers = preg_match_all("[A-Z]",$input);

		$specials = $len - $nums - $lowers - $uppers;

		$val=0;

		

		// Verify that the passwords are valid and not empty

		if (empty($input) || empty($reconfirm)) {

			$this->setError(JText::_('PLG_FIELDS_JOOMLA_PASSWORD_EMPTY_PASSWORD'));



			return false;

		}



		if ($this->params->get('min') > 0 && strlen($input) < $this->params->get('min')) {

			$this->setError(JText::sprintf('PLG_FIELDS_JOOMLA_PASSWORD_MINIMUM_CHAR', $this->params->get('min')));



			return false;

		}



		if ($this->params->get('max') > 0 && strlen($input) > $this->params->get('max')) {

			$this->setError(JText::sprintf('PLG_FIELDS_JOOMLA_PASSWORD_MAXIMUM_CHAR', $this->params->get('max')));



			return false;

		}



		if ($input !== $reconfirm) {

			$this->setError(JText::_('PLG_FIELDS_JOOMLA_PASSWORD_NOT_MATCHING'));



			return false;

		}

		

		if ($nums == $len || $lowers == $len || $uppers == $len || $specials == $len)

		{

			return false;

		}

		

		$strength = 0;

		if ($nums)	{ $strength+= 2; }

		if ($lowers)	{ $strength+= $uppers? 4 : 3; }

		if ($uppers)	{ $strength+= $lowers? 4 : 3; }

		if ($specials) { $strength+= 5; }

		if ($len > 10) { $strength+= 1; }

		

		if ($strength <= 0) {

			$val = 1;

		} else if ($strength > 0 && $strength <= 4) {

			$val = 2;

		} else if ($strength > 4 && $strength <= 8) {

			$val = 3;

		} else if ($strength > 8 && $strength <= 12) {

			$val = 4;

		} else if ($strength > 12) {

			$val = 5;

		}



		return false;

	}
Alexandre Cayer
·
Monday, 20 October 2014 03:10
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Alexandre,

If you have returned false on the validatePassword method, it should generate an error. It's most likely that the hacks that you applied in validatePassword is not working correctly
Mark
·
Monday, 20 October 2014 10:03
·
0 Likes
·
0 Votes
·
0 Comments
·
Only made test on the php file for server side and the script client side version. I will put back the 2 original tomorrow and test again. This is a brand new install with no other hack then this. All my last apps were on my previous install, wanted to start from scratch. 2nd issue with the 2-factor... that's weird.

Can you transfer this to feature request whatsoever. Wish to see some security to avoid the iCloud meltdown from last month with he picture leak. Think to be doable by 1.4 ?
Alexandre Cayer
·
Tuesday, 21 October 2014 12:26
·
0 Likes
·
0 Votes
·
0 Comments
·
Hey Mark, I reinstall the two folders I modified with the install version. I have modified only private function validatePassword($input, $reconfirm) to return false at the bottom instead of true. The registration did proceed again without error. Could it be related to the fact that the 2-factors isn't working/showing properly since it really seems it skips something... super weird. I have repost site info and made the test in front-end with first user profile.
Alexandre Cayer
·
Tuesday, 21 October 2014 12:55
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello Alexandre,

Is it possible for you to provide us with the FTP access to the site?
Mark
·
Tuesday, 21 October 2014 16:09
·
0 Likes
·
0 Votes
·
0 Comments
·
Hi Mark,

Here it is. Maybe a reinstall would be better but, beside Arlex's fix for language and what I tried for password strength, I haven't hack anything this time

I have spent, both on a client java and a server php approach, way too much time considering the algorithm of the password strength's JS file for an implementation with an extra conf value. Was easier to build my previous field from scratch (hehehe) but this is mainly due to your complex Foundry system which is very sophisticated (and super well-done, shows above avg skills) !!!

Thanks Mark, I'm sure the result, once tech problem clear, could be useful for the whole community !

Alex
Alexandre Cayer
·
Wednesday, 22 October 2014 14:12
·
0 Likes
·
0 Votes
·
0 Comments
·
Hello,

The FTP access provided is not working unfortunately
Mark
·
Wednesday, 22 October 2014 14:32
·
0 Likes
·
0 Votes
·
0 Comments
·
i'll copy paste, should be a typo, i just tried it and worked
Alexandre Cayer
·
Wednesday, 22 October 2014 14:41
·
0 Likes
·
0 Votes
·
0 Comments
·
Finally, took 5x less time to make it work then debug the whole thing



Thanks Mark
Alexandre Cayer
·
Thursday, 23 October 2014 05:03
·
0 Likes
·
0 Votes
·
0 Comments
·
hello Alexandre Cayer ,

You're welcome, glad to heard your issues resolved.
Arlex Wong
·
Thursday, 23 October 2014 13:16
·
0 Likes
·
0 Votes
·
0 Comments
·
View Full Post