tags:

views:

27

answers:

2

I would like to enforce a password policy in Zotonic. My first impression would be to do this as a validator on the new_password field in the Identity editor.

Here is an example policy:

  • Have be at least 8 characters in length
  • Have at least one upper case letter
  • Have at least one lower case letter
  • Have at least one number
  • Have at least one non-alphanumeric character
  • Not be based on account name

Here is a possible implementation (not tested):

string:length(Password) >= 8 andalso
re:run(Password, "[A-Z]") =/= nomatch andalso
re:run(Password, "[a-z]") =/= nomatch andalso
re:run(Password, "[0-9]") =/= nomatch andalso
re:run(Password, "[^A-Za-z0-9]") =/= nomatch andalso
re:run(Password, AccountName) =:= nomatch

How do you enforce password complexity rules in Zotonic?

+1  A: 

What you can do is implement it as a form validation. Along the lines of the other validations.

I was wondering if there is a javascript available that shows the password strength. (Like a traffic light, green ok, red really not ok.)

The validation can be attached using the {% validate %} scomp.

A simple password check could be done by making a single regular expression and attaching it to the password field using the format validator http://zotonic.com/documentation/634/format

For your proposed function, or a "traffic light" functionality, it might be better to make a custom validator. Or that we add support for the Custom validator of LiveValidation, to which you then pass a Javascript function for the check.

Marc W
There are a few JavaScript password checkers I have found without a graphical output. http://www.geekwisdom.com/dyn/passwdmeter is the best of those. Using its output to drive a graphical quality meter should be straight-forward. I will take a crack at it now.
Alain O'Dea
http://phiras.wordpress.com/2009/07/29/password-strength-meter-v-2/ is much better and JQuery based as well.
Alain O'Dea
A: 

My colleague pointed me to:

^.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$

A full explanation is available from the original author at http://davidhayden.com/blog/dave/archive/2004/09/25/501.aspx.

It has a slight bug when used in Zotonic (probably due to weirdness in the re module) so I changed the \d to [0-9] and reduced the required length to 8:

^.*(?=.{8,})(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$

It can be applied in _action_dialog_set_username_password.tpl by replacing the presence validator:

{% validate id="new_password" type={presence} %}

with a format validator as Marc W describes in http://stackoverflow.com/questions/3864903/how-do-you-enforce-password-complexity-rules-in-zotonic/3866181#3866181:

{% validate id="new_password" type={format pattern="^.*(?=.{8,})(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#$%^&+=]).*$"} %}
Alain O'Dea