Forums / General / How can I force users to have strong passwords?

How can I force users to have strong passwords?

Author Message

Hilary Boyce

Tuesday 13 November 2007 8:15:39 am

I cannot find anything on ez.no about how to ensure users select reasonably secure passwords, eg length, type of characters used. It seems to be possible to set the length if the GeneratePasswordIfEmpty setting in site.ini is set to true, but even this does not mean users cannot select their own password.

We have a site with a members area that we want to ensure is as secure as possible and we can see our members being very sloppy about passwords.

Am I missing something?

Has anyone else worked done something to solve this problem?

Heath

Tuesday 13 November 2007 8:25:15 am

Hello Hilary,

This is a wise feature request. I would urge you to file it on http://issues.ez.no

Alternatively, you may wish to modify a copy of the user module within a custom module extension to offer the the customized user/register.php to users (with your additional php code to provide for extended password validation and increased user password security).

Cheers,
Heath

Brookins Consulting | http://brookinsconsulting.com/
Certified | http://auth.ez.no/certification/verify/380350
Solutions | http://projects.ez.no/users/community/brookins_consulting
eZpedia community documentation project | http://ezpedia.org

Andre Bottin

Wednesday 29 June 2011 7:28:26 am

That request is already 4 years old! I've just done another unsuccessful search on this site for such a feature / extension, does this mean there's not one? 

EAB - Integrated Internet Success
Offices in England, France & China.
http://www.eab.co.uk http://www.eab-china.com http://www.eab-france.com

Steven E. Bailey

Wednesday 29 June 2011 9:41:55 am

I vaguely remember an extension did this... but I don't remember what it was and it could even be that it was for 3.10 or something, that memory is pretty old.

It wouldn't be that hard to do as an extension.

Certified eZPublish developer
http://ez.no/certification/verify/396111

Available for ezpublish troubleshooting, hosting and custom extension development: http://www.leidentech.com

Gabriel Finkelstein

Sunday 03 July 2011 10:55:20 am

I think you mean this one:

http://projects.ez.no/mbpaex

Steven E. Bailey

Monday 04 July 2011 7:20:18 am

@Gabriel - I think you're right.

Well, then, mbpaex doesn't do anything to ensure the password is not too easy... it just expires the passwords at a given interval.

I still don't think this would be that hard to implement.  Basically check to see that the password is not the same as the login, or a variation of the the login - i.e. login12 or nigol, then maybe check the hash against a rainbow table of dictionary words (and that should be generated with multiple interchangeable dictionaries for different languages - I would start with a dictionary of the 500 most common passwords).  Then maybe also check with a regular expression whether there is at least one of each: punctuation character, number, letter of each case.  There is already a length check built-in.

Actually, if anyone wants to pay me to write this, message me.

 

Certified eZPublish developer
http://ez.no/certification/verify/396111

Available for ezpublish troubleshooting, hosting and custom extension development: http://www.leidentech.com