[nycphp-talk] password strength enforcement
David Mintz
dmintz at davidmintz.org
Fri Apr 9 16:12:47 EDT 2004
On Fri, 9 Apr 2004, Mitch Pirtle wrote:
> David Mintz wrote:
> > <snip />
> >Anybody have any good snippets or tips?
> >
> Yeah - use PEAR::HTML_QuickForm for the password management screens, and
> use the provided rules to ensure alphanumeric-ness and so on. Makes it
> easy.
>
Nice thread here, as usual. I was thinking about HTML_QuickForm and I'm
not sure how the built in 'alphanumeric' would ensure that they ~did~ use
both letters and numbers, it only returns true if they didn't put anything
that ~wasn't~. Or have I been hitting the old crack pipe again?
I'm considering something like
function isStrongPassword($pwd) {
return 2 <= preg_match_all('/\d/',$pwd,$matches)
&& strlen($pwd) >= 8
&& preg_match('/[a-z].*[A-Z]|[A-Z].*[a-z]/',$pwd);
}
which you could readily plug in as a HMTL_QuickForm validation rule.
This, obviously, makes them use both upper and lower case letters, two
numbers, and no fewer than 8 characters, but it doesn't care about the
"cannot begin or end with a number" which Allen Shaw proposed. Which by
the way sounds like a good way to discourage passwords like Debbie16,
which this function would permit. Hmmm...
I imagine one of you d00ds will want to improve my regex. I want to say
"it should have an upper case letter and a lower case letter and it
doesn't matter which comes first."
Thank you C Snyder for the URL, That looks like a site where I could
happily kill a couple hours.
Thanks Jon B for the tip about crack (the other kind). Looks like my ISP's
PHP is compiled without out it.... guess I'd have to compile my own PHP
and run it a la CGI if it's worth the effort.
---
David Mintz
http://davidmintz.org/
"Anybody else got a problem with Webistics?" -- Sopranos 24:17
More information about the talk
mailing list