CodingForums.com - View Single Post

doubledee · 01-21-2013, 08:27 PM

I could use some advice on what is a *reasonable* approach on checking the Password Strength when users register or re-set their password on my website.

Security is extremely important to me, but there are some constraints as well, including...

1.) I don't want to make my website so difficult to use that it chases away the average (and even power) users

2.) I don't have months and years to read up on "Log-In Theory" and come up with some master scheme

My goal for this thread, is to start off with a reasonable approach to checking Password Strength, and then over the next few months come up with a more robust approach, which will likely use "Pass Phrases" among other things.

(Please no "flame wars" on this topic.)

Below is a snippet of code that checks for Password Strength in my "change-password.php" script....

PHP Code:


			


    // ****************************

    // Check Password Strength.        *

    // ****************************



    // Check Password Length.

    if (strlen($newPass1) < 8){

        $errors['newPass'] = 'Password must be at least 8 Characters.';

    }



    // Check for Uppercase Letter.

    if (empty($errors)){

        if (strtolower($newPass1) == $newPass1){

            $errors['newPass'] = 'Password must have at least 1 Uppercase Letter.';

        }

    }



    // Check for Lowercase Letter.

    if (empty($errors)){

        if (strtoupper($newPass1) == $newPass1){

            $errors['newPass'] = 'Password must have at least 1 Lowercase Letter.';

        }

    }



    // Check for Number.

    if (empty($errors)){

        if (!preg_match("#[0-9]+#", $newPass1)){

            $errors['newPass'] = 'Password must have at least 1 Number.';

        }

    }



    // Fou-Lu makes it sound like I don't need this section.

    // Check for Illegal-Characters.

    if (empty($errors)){

        if (preg_match("#[\,\"\']+#", $newPass1)){

            $errors['newPass'] = 'Password may not use Comma, Single or Double Quotes.';

        }

    }





    // Not so sure about this one...

    // Check for Special-Character.

    if (empty($errors)){

        if (!preg_match("#[\~\`\!\@\#\$\%\^\&\*\(\)\_\-\+\=\{\}\[\]\|\:\;\<\>\.\?\/\\\\]+#", $newPass1)){

//                    if (!preg_match("#[\W_]+#", $newPass1)){

                            $errors['newPass'] = 'Password must have at least 1 Special Character.';

        }

    }





    if (empty($errors)){

        // Strong Password.

        $newPass = $newPass1;



    }else{

        // Weak Password.

        // Drop through to display Errors.



    }//End of CHECK PASSWORD STRENGTH

BTW, I don't know OOP yet, and I'd prefer to learn how to make a procedural home-grown Password-Strength-Checker for now.

Sincerely,

Debbie

01-21-2013, 08:27 PM	PM User \| #1
doubledee Regular Coder Join Date: Mar 2011 Location: Arizona Posts: 617 Thanks: 19 Thanked 0 Times in 0 Posts	Setting Password Strength I could use some advice on what is a reasonable approach on checking the Password Strength when users register or re-set their password on my website. Security is extremely important to me, but there are some constraints as well, including... 1.) I don't want to make my website so difficult to use that it chases away the average (and even power) users 2.) I don't have months and years to read up on "Log-In Theory" and come up with some master scheme My goal for this thread, is to start off with a reasonable approach to checking Password Strength, and then over the next few months come up with a more robust approach, which will likely use "Pass Phrases" among other things. (Please no "flame wars" on this topic.) Below is a snippet of code that checks for Password Strength in my "change-password.php" script.... PHP Code: // **************************** // Check Password Strength. * // **************************** // Check Password Length. if (strlen($newPass1) < 8){ $errors['newPass'] = 'Password must be at least 8 Characters.'; } // Check for Uppercase Letter. if (empty($errors)){ if (strtolower($newPass1) == $newPass1){ $errors['newPass'] = 'Password must have at least 1 Uppercase Letter.'; } } // Check for Lowercase Letter. if (empty($errors)){ if (strtoupper($newPass1) == $newPass1){ $errors['newPass'] = 'Password must have at least 1 Lowercase Letter.'; } } // Check for Number. if (empty($errors)){ if (!preg_match("#[0-9]+#", $newPass1)){ $errors['newPass'] = 'Password must have at least 1 Number.'; } } // Fou-Lu makes it sound like I don't need this section. // Check for Illegal-Characters. if (empty($errors)){ if (preg_match("#[\,\"\']+#", $newPass1)){ $errors['newPass'] = 'Password may not use Comma, Single or Double Quotes.'; } } // Not so sure about this one... // Check for Special-Character. if (empty($errors)){ if (!preg_match("#[\~\`\!\@\#\$\%\^\&\*\(\)\_\-\+\=\{\}\[\]\\|\:\;\<\>\.\?\/\\\\]+#", $newPass1)){ // if (!preg_match("#[\W_]+#", $newPass1)){ $errors['newPass'] = 'Password must have at least 1 Special Character.'; } } if (empty($errors)){ // Strong Password. $newPass = $newPass1; }else{ // Weak Password. // Drop through to display Errors. }//End of CHECK PASSWORD STRENGTH BTW, I don't know OOP yet, and I'd prefer to learn how to make a procedural home-grown Password-Strength-Checker for now. Sincerely, Debbie