phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

Password strength

Goto page 1, 2  Next
 
Search this topic... | Search MOD Requests... | Search Box
Register or Login to Post    Index » MOD Requests  Previous TopicPrint TopicNext Topic
Author Message
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 544
Location: North West UK


flag
PostPosted: Sun Mar 01, 2009 7:57 pm 
Post subject: Password strength

Does anyone know of a Password strength mod that will show new users the strength of their password as they type it in?
A lot of sites have this sort of thing now and it would be a very good add on.
I am prompted to post this having read Dave's comments here. http://www.phpbbdoctor.com/blog/2009/02/13/lets-talk-about-md5/

Jim
Back to top
Ram
Board Member



Joined: 23 Dec 2008

Posts: 100
Location: Somewhere over the rainbow


flag
PostPosted: Tue Mar 03, 2009 7:31 am 
Post subject: Re: Password strength

Salt Passwords 2.0.2 may be
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 544
Location: North West UK


flag
PostPosted: Tue Mar 03, 2009 10:16 am 
Post subject: Re: Password strength

I am looking for some sort of meter that can be added to the registration page that will tell new users how strong their password is.

Jim
Back to top
espicom
Board Member



Joined: 24 Nov 2008

Posts: 55
Location: Woodstock, IL


flag
PostPosted: Wed Mar 04, 2009 4:53 am 
Post subject: Re: Password strength

Check out the PHP functions that use 'crack': http://us2.php.net/manual/en/book.crack.php

Of course, there is no guarantee your server supports them...
Back to top
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 653
Location: Texas


flag
PostPosted: Wed Mar 04, 2009 7:03 am 
Post subject: Re: Password strength

I always suspected that sort of stuff used javascript, since it happens as you type...
_________________
phpBBDoctor Blog
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 544
Location: North West UK


flag
PostPosted: Wed Mar 04, 2009 10:04 am 
Post subject: Re: Password strength

Thanks guys - something to go on when I have a bit of time.
I would not be at all surprised if some of my members used the word "password" or "12345"

Jim
Back to top
roadhog
Board Member



Joined: 19 Nov 2008

Posts: 95
Location: Central Texas


flag
PostPosted: Wed Mar 04, 2009 5:24 pm 
Post subject: Re: Password strength

To be honest, I'd be very surprised if none of my members used the passwords you mentioned, Jim. I'm hoping that some kind soul will come up with a "salting" mod, or some sort of mod that we can add to our boards, to totally "idiotproof" the password selection risks, introduced by those who are "password challenged".

In the meantime, if/when you get a chance to try a method of "coaching" registrants/members to make better password choices, I would definitely appreciate reading any of your thoughts on how well it seems to work, and how to best apply any of this. I plan to play with this a bit, too, to see if I can find any ways to improve the situation, and I'll certainly post about anything that might look promising.
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 544
Location: North West UK


flag
PostPosted: Wed Mar 04, 2009 5:58 pm 
Post subject: Re: Password strength

I have just done a dump of all the hashes on my site.

I then used the hashing facility in Starfoxtj toolkit to hash "123456" , "password" and "qwerty" and Notepad++ to do a count of each.
4 individuals have used "password"
4 individuals have used "123456"
2 individuals have used "qwerty"

Even though my site is a modelling related site we have in several topics discussed security and the need to use strong passwords.
I think it is time I spoke to them again!
I wonder how many folks are so lax as to use those passwords for such as bank accounts, Ebay, Paypal etc etc?

Jim
Back to top
Ptirhiik
Board Member



Joined: 19 Nov 2008

Posts: 114


flag
PostPosted: Wed Mar 04, 2009 7:54 pm 
Post subject: Re: Password strength

Much more than you can guess actually icon_smile.gif. I had to do such an expertise last year for a firm regarding their web environment security. Funny times I might add, and it was an easy job to do icon_lol.gif .
Back to top
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 653
Location: Texas


flag
PostPosted: Thu Mar 05, 2009 1:45 pm 
Post subject: Re: Password strength

I had a look at my control panel software which includes a "password strength" indicator that is live. Meaning as you type your password the indicator bar goes from red to yellow to green as you add more complexity. It seems to use a javascript library from Yahoo.

Wordpress also has something similar, and WP is open source, so anything from there should be adaptable to phpBB as well, with proper credit.

_________________
phpBBDoctor Blog
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 544
Location: North West UK


flag
PostPosted: Thu Mar 05, 2009 6:22 pm 
Post subject: Re: Password strength

Thanks for all the info. I have found a javascript one that looks reasonable but I will check out the Yahoo one as well.
My problem now is time as I seem to have so little of it. Just when I thought I had finally retired I am being asked to do more tuition.

Ah well it pays the bills I suppose. icon_wink.gif

Jim
Back to top
dogs and things
Board Member



Joined: 18 Nov 2008

Posts: 621
Location: Spain


flag
PostPosted: Sun Mar 08, 2009 1:58 pm 
Post subject: Re: Password strength

Hi Jim,

I dont know if you already found Password Security. I bumped into it by accident and reminded this topic.

Greetings.

_________________
phpBB2 will never die, I hope!
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 544
Location: North West UK


flag
PostPosted: Sun Mar 08, 2009 2:22 pm 
Post subject: Re: Password strength

Now from the description that looks promising.
I will download and test it now.

Many thanks

Jim

Edit
I have tested it on localhost with a test board. It installs with Easymod and it is just what I needed.
I owe you one. icon_biggrin.gif

Edit to the edit icon_rolleyes.gif
I have had time to do some testing and rules need tightening up on it.
I tried entering a password and only got as far as "So" when it moved from unsafe to not recommended
I think it should require at least 6 characters before it moves from the "Unsafe" level.
Likewise a letter followed by a number is all that is needed to move it from unsafe.
Even "passw0rd" comes up as safe!!!
I do not do any coding at all but am going to take a look at the section that goes into profile_add_body.tpl to see if I can work out how to set the minimum of 6 characters.
If anyone else is more proficient than I (just about everyone icon_wink.gif ) could take a look I shall be very grateful.

Jim
Back to top
dogs and things
Board Member



Joined: 18 Nov 2008

Posts: 621
Location: Spain


flag
PostPosted: Sun Mar 08, 2009 4:00 pm 
Post subject: Re: Password strength

I agree,

It should be improved/tightened up a bit.

The code looks very easy, but I'm afraid I'm at the same level where you are, as a coder. icon_razz.gif

Code:
      <script language="JavaScript" type="text/javascript">
      <!--
      // Password security
      function check_pw(pw_to_check)
      {
         var counter_to_check = 0;
         var minlength_to_check = 6;
      
         if (pw_to_check.length >= minlength_to_check)
         {
            counter_to_check = counter_to_check + 1;
         }
         if (pw_to_check.match(/[A-Z\\\]/))
         {
            counter_to_check = counter_to_check + 2;
         }
         if (pw_to_check.match(/[a-z\\\\]/))
         {
            counter_to_check = counter_to_check + 1;
         }
         if (pw_to_check.match(/[0-9]/))
         {
            counter_to_check = counter_to_check + 2;
         }
            if (pw_to_check.match(/[\.\,\?\!\%\*\_\#\:\;\~\\&\$\\\@\/\=\+\-\(\)\[\]\|\<\>]/))
            {
               counter_to_check = counter_to_check + 2;
            }
         if (pw_to_check == document.getElementsByName('username').username.value)
         {
            counter_to_check = 0;
         }
         if (pw_to_check == document.getElementsByName('email').email.value)
         {
            counter_to_check = 0;
         }

         if (counter_to_check <= 2)
         {
            document.getElementsByName('holder_pw')[0].style.backgroundColor = 'red';
            document.getElementsByName('holder_pw')[0].style.color = 'black';
            document.getElementsByName('holder_pw')[0].style.border = '1px solid black';
            document.getElementsByName('holder_pw')[0].value = '{L_PASSWORD_SECURITY_LEVEL1}';
         }
         else if (counter_to_check <= 4)
         {
            document.getElementsByName('holder_pw')[0].style.backgroundColor = 'yellow';
            document.getElementsByName('holder_pw')[0].style.color = 'black';
            document.getElementsByName('holder_pw')[0].style.border = '1px solid black';
            document.getElementsByName('holder_pw')[0].value = '{L_PASSWORD_SECURITY_LEVEL2}';
         }
         else if (counter_to_check <= 5)
         {
            document.getElementsByName('holder_pw')[0].style.backgroundColor = 'green';
            document.getElementsByName('holder_pw')[0].style.color = 'white';
            document.getElementsByName('holder_pw')[0].style.border = '1px solid black';
            document.getElementsByName('holder_pw')[0].value = '{L_PASSWORD_SECURITY_LEVEL3}';
         }
         else if (counter_to_check <= 7)
         {
            document.getElementsByName('holder_pw')[0].style.backgroundColor = 'green';
            document.getElementsByName('holder_pw')[0].style.color = 'white';
            document.getElementsByName('holder_pw')[0].style.border = '1px solid black';
            document.getElementsByName('holder_pw')[0].value = '{L_PASSWORD_SECURITY_LEVEL4}';
         }
         else if (counter_to_check == 8)
         {
            document.getElementsByName('holder_pw')[0].style.backgroundColor = 'green';
            document.getElementsByName('holder_pw')[0].style.color = 'white';
            document.getElementsByName('holder_pw')[0].style.border = '1px solid black';
            document.getElementsByName('holder_pw')[0].value = '{L_PASSWORD_SECURITY_LEVEL5}';
         }
      }
      //-->
      </script>
      <input onkeyup="check_pw(this.value);" onfocus="check_pw(this.value);" type="password" class="post" style="width: 200px" name="new_password" size="25" maxlength="32" value="{NEW_PASSWORD}" />&nbsp;


I'd say that things like
Code:
counter_to_check + 2
can be changed a bit, instead of +2 make it +1. The number stands for the amount of points added to the counter_to_check.

And those thingies
Code:
else if (counter_to_check <= 5)
can be altered by making <5 for instance <6 or <7
<5 means smaller then 5 so if the points added are lower the degree of safety should climb slower. If at the same time <5 is changed to a higher number level increase should be slower.

Get what I mean?

I figure this will already mean an improvement although I'm sure further improvement can be made by smeone that knows what he's doing:
Code:
      <script language="JavaScript" type="text/javascript">
      <!--
      // Password security
      function check_pw(pw_to_check)
      {
         var counter_to_check = 0;
         var minlength_to_check = 6;
      
         if (pw_to_check.length >= minlength_to_check)
         {
            counter_to_check = counter_to_check + 1;
         }
         if (pw_to_check.match(/[A-Z]/))
         {
            counter_to_check = counter_to_check + 1;
         }
         if (pw_to_check.match(/[\\]/))
         {
            counter_to_check = counter_to_check + 1;
         }
         if (pw_to_check.match(/[a-z\\\\]/))
         {
            counter_to_check = counter_to_check + 1;
         }
         if (pw_to_check.match(/[0-9]/))
         {
            counter_to_check = counter_to_check + 1;
         }
            if (pw_to_check.match(/[\.\,\?\!\%\*\_\#\:\;\~\\&\$\\\@\/\=\+\-\(\)\[\]\|\<\>]/))
            {
               counter_to_check = counter_to_check + 2;
            }
         if (pw_to_check == document.getElementsByName('username').username.value)
         {
            counter_to_check = 0;
         }
         if (pw_to_check == document.getElementsByName('email').email.value)
         {
            counter_to_check = 0;
         }

         if (counter_to_check <= 2)
         {
            document.getElementsByName('holder_pw')[0].style.backgroundColor = 'red';
            document.getElementsByName('holder_pw')[0].style.color = 'black';
            document.getElementsByName('holder_pw')[0].style.border = '1px solid black';
            document.getElementsByName('holder_pw')[0].value = '{L_PASSWORD_SECURITY_LEVEL1}';
         }
         else if (counter_to_check <= 4)
         {
            document.getElementsByName('holder_pw')[0].style.backgroundColor = 'red';
            document.getElementsByName('holder_pw')[0].style.color = 'black';
            document.getElementsByName('holder_pw')[0].style.border = '1px solid black';
            document.getElementsByName('holder_pw')[0].value = '{L_PASSWORD_SECURITY_LEVEL1}';
         }
         else if (counter_to_check <= 5)
         {
            document.getElementsByName('holder_pw')[0].style.backgroundColor = 'yellow';
            document.getElementsByName('holder_pw')[0].style.color = 'white';
            document.getElementsByName('holder_pw')[0].style.border = '1px solid black';
            document.getElementsByName('holder_pw')[0].value = '{L_PASSWORD_SECURITY_LEVEL2}';
         }
         else if (counter_to_check <= 7)
         {
            document.getElementsByName('holder_pw')[0].style.backgroundColor = 'green';
            document.getElementsByName('holder_pw')[0].style.color = 'white';
            document.getElementsByName('holder_pw')[0].style.border = '1px solid black';
            document.getElementsByName('holder_pw')[0].value = '{L_PASSWORD_SECURITY_LEVEL4}';
         }
         else if (counter_to_check == 8)
         {
            document.getElementsByName('holder_pw')[0].style.backgroundColor = 'green';
            document.getElementsByName('holder_pw')[0].style.color = 'white';
            document.getElementsByName('holder_pw')[0].style.border = '1px solid black';
            document.getElementsByName('holder_pw')[0].value = '{L_PASSWORD_SECURITY_LEVEL5}';
         }
      }
      //-->
      </script>
      <input onkeyup="check_pw(this.value);" onfocus="check_pw(this.value);" type="password" class="post" style="width: 200px" name="new_password" size="25" maxlength="32" value="{NEW_PASSWORD}" />&nbsp;

Although I haven't tested this code so as they say: "Don't use in a live environment and backup your files before testing it!" icon_razz.gif

_________________
phpBB2 will never die, I hope!
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 544
Location: North West UK


flag
PostPosted: Sun Mar 08, 2009 4:17 pm 
Post subject: Re: Password strength

I will check it out later and report back.
The important thing I think though is that it should stay at "Unsafe" no matter what until there are at least 6 characters although I guess that T5)s is safer than just a combination of 6+ upper and lower case letters.

Jim
Back to top
Display posts from previous:   
Register or Login to Post    Index » MOD Requests  Previous TopicPrint TopicNext Topic
Page 1 of 2 All times are GMT
Goto page 1, 2  Next
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0942 seconds using 15 queries. (SQL 0.0023 Parse 0.0789 Other 0.0130)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo