Extension talk:EnforceStrongPassword

From mediawiki.org
Latest comment: 14 years ago by Tisane in topic Apply only to sysops

Extension to the Extension 2009-05-16[edit]

I noticed that the extension (version. 0.2) did not check if the password matched the username, and did not allow special (punctuation) characters. Here is a slightly modified version:

 
function isStrongPassword($password, &$return,$user) {
 
  //Remember to set this variable in LocalSettings.php
  global $wgMinimalPasswordLength, $wgContLang;
  if(
    strlen($password)>=$wgMinimalPasswordLength // at least xx chars
    && strlen($password)<17 // at most 16 chars
    && preg_match('`[A-Z]`',$password) // at least one upper case
    && preg_match('`[a-z]`',$password) // at least one lower case
    && preg_match('`[0-9]`',$password) // at least one digit
    && ( ereg('[[:punct:]]',$password)) // at least one special char
    && ($wgContLang->lc( $password ) !== $wgContLang->lc( $user->mName ))
    ){
    // valid
    $return = true;
   } else {
    // not valid
    $return = false;
   }
 
   // This hook REPLACES the original code.
  return false;
 
}

Extension to the Extension[edit]

The following will no longer work, and is not recommended anyway, since isValidPassword now is hookable. Use the newer version above. It is just here for historical purposes.

Where I work a strong password requires at least eight characters, a capital letter, a number, and a punctuation mark. So I modified this extension to include a check for punctuation, and I added relevant error messages. This is kind of a kludge because I am not a sophisticated PHP programmer.

Here is my version of StrongPassword.php:



<?php 
 
 function isStrongPassword($password, &$return) {
 
   //Remember to set this variable in LocalSettings.php
   global $wgMinimalPasswordLength;
   global $wgMessageCache;
   static $first_time = true;
   $answer = true;
   if ($first_time) {
        $wgMessageCache->addMessages(array(
        'nodigit' => 'Password needs at least one digit.',
        'nocap' => 'Password needs at least one capital.',
        'nolow' => 'Password needs at least one lower case letter.',
        'nospec' => 'Password needs a special character.'));
        $first_time = false;
        }
    wfDebug("Your password is $password.\n");
    if (strlen( $password ) < $wgMinimalPasswordLength) {
        wfDebug("Password not long enough.\n");
        $answer = false;
        }
    elseif (! ereg('[0-9]',$password)) {
        wfDebug("Password does not contain digit.\n");
        $answer = false;
        }
    elseif (! ereg('[A-Z]',$password)) {
        wfDebug("Password does not contain a capital letter.\n");
        $answer = false;
        }
    elseif (! ereg('[a-z]',$password)) {
        wfDebug("Password does not contain a lowercase letter.\n");
        $answer = false;
        }
    elseif (! ereg('[[:punct:]]',$password)) {
        wfDebug("Password does not contain a special char.\n");
        $answer = false;
        }
    $return = $answer;
    return  $answer;
}
 
 ?>


I also modified the files User.php and SpecialUserlogin.php so that they provided the right user feedback if someone attempts to set a non-Strong password. Here are the diffs:


$ rcsdiff User.php
===================================================================
RCS file: RCS/User.php,v
retrieving revision 1.1
diff -r1.1 User.php
1391c1391,1392
<                               global $wgMinimalPasswordLength;
---
>                           global $wgMinimalPasswordLength;
>                           if (strlen( $str ) < $wgMinimalPasswordLength) {
1393c1394,1407
<                                       $wgMinimalPasswordLength ) );
---
>                                   $wgMinimalPasswordLength ) );
>                               }
>                           elseif (! ereg('[0-9]',$str)) {
>                               throw new PasswordError( wfMsg( 'nodigit'));
>                               }
>                           elseif (! ereg('[A-Z]',$str)) {
>                               throw new PasswordError( wfMsg( 'nocap'));
>                               }
>                           elseif (! ereg('[a-z]',$str)) {
>                               throw new PasswordError( wfMsg( 'nolow'));
>                               }
>                           else {
>                               throw new PasswordError( wfMsg( 'nospec' ));
>                               }


$ rcsdiff SpecialUserlogin.php
===================================================================
RCS file: RCS/SpecialUserlogin.php,v
retrieving revision 1.1
diff -r1.1 SpecialUserlogin.php
262a263,264
>                   $str = $this->mPassword;
>                   if (strlen( $str ) < $wgMinimalPasswordLength) {
264,265c266,280
<                       return false;
<               }
---
>                       }
>                   elseif (! ereg('[0-9]',$str)) {
>                       $this->mainLoginForm( wfMsg( 'nodigit') );
>                       }
>                   elseif (! ereg('[A-Z]',$str)) {
>                       $this->mainLoginForm( wfMsg( 'nocap') );
>                       }
>                   elseif (! ereg('[a-z]',$str)) {
>                       $this->mainLoginForm( wfMsg( 'nolow') );
>                       }
>                   else {
>                       $this->mainLoginForm( wfMsg( 'nospec') );
>                       }
>                   return false;
>                  }

Any questions or comments? I can be reached at evansjr@computer.org.

Apply only to sysops[edit]

It would be good to have a configuration setting causing the strong password requirement to only apply to sysops. They should be unable to exercise sysop powers while their password is weak. Tisane 17:01, 24 March 2010 (UTC)Reply