Extension talk:EnforceStrongPassword

Extension to the Extension 2009-05-16
I noticed that the extension (version. 0.2) did not check if the password matched the username, and did not allow special (punctuation) characters. Here is a slightly modified version:

function isStrongPassword($password, &$return,$user) { //Remember to set this variable in LocalSettings.php global $wgMinimalPasswordLength, $wgContLang; if(   strlen($password)>=$wgMinimalPasswordLength // at least xx chars    && strlen($password)<17 // at most 16 chars    && preg_match('`[A-Z]`',$password) // at least one upper case    && preg_match('`[a-z]`',$password) // at least one lower case    && preg_match('`[0-9]`',$password) // at least one digit    && ( ereg('punct:',$password)) // at least one special char    && ($wgContLang->lc( $password ) !== $wgContLang->lc( $user->mName ))    ){ // valid $return = true; } else { // not valid $return = false; }  // This hook REPLACES the original code. return false; }

Extension to the Extension
The following will no longer work, and is not recommended anyway, since isValidPassword" now is hookable''. Use the newer version above.  It is just here for historical purposes.

Where I work a strong password requires at least eight characters, a capital letter, a number, and a punctuation mark. So I modified this extension to include a check for punctuation, and I added relevant error messages. This is kind of a kludge because I am not a sophisticated PHP programmer.

Here is my version of StrongPassword.php:

addMessages(array( 'nodigit' => 'Password needs at least one digit.', 'nocap' => 'Password needs at least one capital.', 'nolow' => 'Password needs at least one lower case letter.', 'nospec' => 'Password needs a special character.')); $first_time = false; }   wfDebug("Your password is $password.\n"); if (strlen( $password ) < $wgMinimalPasswordLength) { wfDebug("Password not long enough.\n"); $answer = false; }   elseif (! ereg('[0-9]',$password)) { wfDebug("Password does not contain digit.\n"); $answer = false; }   elseif (! ereg('[A-Z]',$password)) { wfDebug("Password does not contain a capital letter.\n"); $answer = false; }   elseif (! ereg('[a-z]',$password)) { wfDebug("Password does not contain a lowercase letter.\n"); $answer = false; }   elseif (! ereg('punct:',$password)) { wfDebug("Password does not contain a special char.\n"); $answer = false; }   $return = $answer; return $answer; } ?>

I also modified the files User.php and SpecialUserlogin.php so that they provided the right user feedback if someone attempts to set a non-Strong password. Here are the diffs:

$ rcsdiff User.php

=
====================================================== RCS file: RCS/User.php,v retrieving revision 1.1 diff -r1.1 User.php 1391c1391,1392 <                              global $wgMinimalPasswordLength; --- >                          global $wgMinimalPasswordLength; >                          if (strlen( $str ) < $wgMinimalPasswordLength) { 1393c1394,1407 <                                      $wgMinimalPasswordLength ) ); --- >                                  $wgMinimalPasswordLength ) ); >                              } >                           elseif (! ereg('[0-9]',$str)) { >                              throw new PasswordError( wfMsg( 'nodigit')); >                              } >                           elseif (! ereg('[A-Z]',$str)) { >                              throw new PasswordError( wfMsg( 'nocap')); >                              } >                           elseif (! ereg('[a-z]',$str)) { >                              throw new PasswordError( wfMsg( 'nolow')); >                              } >                           else { >                              throw new PasswordError( wfMsg( 'nospec' )); >                              }

$ rcsdiff SpecialUserlogin.php

=
====================================================== RCS file: RCS/SpecialUserlogin.php,v retrieving revision 1.1 diff -r1.1 SpecialUserlogin.php 262a263,264 >                  $str = $this->mPassword; >                  if (strlen( $str ) < $wgMinimalPasswordLength) { 264,265c266,280 <                      return false; <              } --- >                       } >                   elseif (! ereg('[0-9]',$str)) { >                      $this->mainLoginForm( wfMsg( 'nodigit') ); >                      } >                   elseif (! ereg('[A-Z]',$str)) { >                      $this->mainLoginForm( wfMsg( 'nocap') ); >                      } >                   elseif (! ereg('[a-z]',$str)) { >                      $this->mainLoginForm( wfMsg( 'nolow') ); >                      } >                   else { >                      $this->mainLoginForm( wfMsg( 'nospec') ); >                      } >                   return false; >                 }

Any questions or comments? I can be reached at evansjr@computer.org.

Apply only to sysops
It would be good to have a configuration setting causing the strong password requirement to only apply to sysops. They should be unable to exercise sysop powers while their password is weak. Tisane 17:01, 24 March 2010 (UTC)