Advanced password complexity check

General discussion of development ideas and the approaches taken in the 3.x branch of phpBB. The current feature release of phpBB 3 is 3.3/Proteus.
Forum rules
Please do not post support questions regarding installing, updating, or upgrading phpBB 3.3.x. If you need support for phpBB 3.3.x please visit the 3.3.x Support Forum on phpbb.com.

If you have questions regarding writing extensions please post in Extension Writers Discussion to receive proper guidance from our staff and community.
Post Reply
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Advanced password complexity check

Post by igorw »

This post inspired me to create this topic. It's just an idea I had.

phpBB 3.0 has following options for password complexity:
  • No requirements
  • Must be mixed case
  • Must contain letters and numbers
  • Must contain symbols
Everybody knows the weakest link is often the user, so making him choose a secure password is a must. The provided options are not bad, but they can be improved. Here's some things I would like to see.

Blacklisting

I'm sorry, but following passwords shouldn't be allowed. 'password', '123456' (and variations of it). In fact, any of these. These passwords should be banned.

Password complexity plugins

It would be nice to have a pluggable password complexity architecture. This allows easy addition of new options, also through MODs.

Side note: Of course these plugins must not use any web services to validate the passwords ( :mrgreen: ), perhaps a form of signing could be employed that warns the admin if he tries to use a non-validated plugin.

Composability

Building on the plugin idea, it should be possible to combine the plugins. An "AND" check on all of the currently active ones should be good enough.

Additional options
  • Mustn't be username
  • Mustn't be (dictionary word)(number)
  • You name it!
Generate password

It would be nice to be able to generate a random password using javascript. Not sure if this is feasible in terms of entropy and RNG implementation, though.
Top
Nelsaidi
Registered User
Posts: 122
Joined: Tue Nov 11, 2008 5:44 pm

Re: Advanced password complexity check

Post by Nelsaidi »

How about a "Password Score" - Give the password a score from 1 - 100 or whatever using an algorithm, and let the admin set a minimum, this would take into consideration all the above - and even then they can be forced. Can probably have a JS to calculate client side to show the user too. Just an idea though.

The plugin system itself sounds like a good idea, and the above idea can be implemented using this idea :P In all seriousness it does open a wide range of password validation options. Although most would be regex or dictionary provided, the plugins would allow for additional processing - maybe breaking up the password to give inteligence - But it would be dodgy. Having mods deal with plain text passwords is something which could be a security risk, I dont know much about signatures but couldnt they be forged in the PHP world? Provided plugins go on phpbb.com then they should be safe, its just the easiness of plugins in terms of upload and enable in ACP means the user may not be aware of what they are installing, and provides an extremely easy method to steal passwords - this risk would come from mods not on phpbb.com though.

The benefit for this is great, and plugins expands the password checks from a mere db or regex search, and I'm sure most admins as I would appreciate it.
Top
Post Reply

Return to “[3.x] Discussion”