Hi there, I was wondering if I could implement a password strength check upon new user signup. Many of my users have set easy-to-guess passwords and I want to prevent them from setting passwords such as 111 or aaa. I looked on the net in order to find some cute scripts, but there weren't any for Nuke, so I considered asking here. The script I found is listed below:
Code:
<script language="JavaScript1.1">
<!-- Begin
/* ************************************************************
Created: 20060120
Author: Steve Moitozo <god at zilla dot us>
Description: This is a quick and dirty password quality meter
written in JavaScript so that the password does
not pass over the network
Revision Author: Dick Ervasti (dick dot ervasti at quty dot com)
Revision Description: Exchanged text based prompts for a graphic thermometer
Password Strength Factors and Weightings
password length:
level 0 (3 point): less than 4 characters
level 1 (6 points): between 5 and 7 characters
level 2 (12 points): between 8 and 15 characters
level 3 (18 points): 16 or more characters
letters:
level 0 (0 points): no letters
level 1 (5 points): all letters are lower case
level 2 (7 points): letters are mixed case
numbers:
level 0 (0 points): no numbers exist
level 1 (5 points): one number exists
level 1 (7 points): 3 or more numbers exists
special characters:
level 0 (0 points): no special characters
level 1 (5 points): one special character exists
level 2 (10 points): more than one special character exists
combinatons:
level 0 (1 points): letters and numbers exist
level 1 (1 points): mixed case letters
level 1 (2 points): letters, numbers and special characters
exist
level 1 (2 points): mixed case letters, numbers and special
characters exist
NOTE: Because I suck at regex the code below is incomplete and
does not accurately assess the strength of passwords
according to the above factors and weightings
NOTE: Instead of putting out all the logging information,
the score, and the verdict it would be nicer to stretch
a graphic as a method of presenting a visual strength
guage.
// PASSWORD LENGTH
if (passwd.length==0 || !passwd.length) // length 0
{
intScore = -1
}
else if (passwd.length>0 && passwd.length<5) // length between 1 and 4
{
intScore = (intScore+3)
}
else if (passwd.length>4 && passwd.length<8) // length between 5 and 7
{
intScore = (intScore+6)
}
else if (passwd.length>7 && passwd.length<12)// length between 8 and 15
{
intScore = (intScore+12)
}
else if (passwd.length>11) // length 16 or more
{
intScore = (intScore+18)
}
// LETTERS (Not exactly implemented as dictacted above because of my limited understanding of Regex)
if (passwd.match(/[a-z]/)) // [verified] at least one lower case letter
{
intScore = (intScore+1)
}
if (passwd.match(/[A-Z]/)) // [verified] at least one upper case letter
{
intScore = (intScore+5)
}
// NUMBERS
if (passwd.match(/\d+/)) // [verified] at least one number
{
intScore = (intScore+5)
}
if (passwd.match(/(.*[0-9].*[0-9].*[0-9])/)) // [verified] at least three numbers
{
intScore = (intScore+5)
}
// SPECIAL CHAR
if (passwd.match(/.[!,@,#,$,%,^,&,*,?,_,~]/)) // [verified] at least one special character
{
intScore = (intScore+5)
}
// [verified] at least two special characters
if (passwd.match(/(.*[!,@,#,$,%,^,&,*,?,_,~].*[!,@,#,$,%,^,&,*,?,_,~])/))
{
intScore = (intScore+5)
}
// COMBOS
if (passwd.match(/([a-z].*[A-Z])|([A-Z].*[a-z])/)) // [verified] both upper and lower case
{
intScore = (intScore+2)
}
if (passwd.match(/(\d.*\D)|(\D.*\d)/)) // [FAILED] both letters and numbers, almost works because an additional character is required
{
intScore = (intScore+2)
}
// [verified] letters, numbers, and special characters
if (passwd.match(/([a-zA-Z0-9].*[!,@,#,$,%,^,&,*,?,_,~])|([!,@,#,$,%,^,&,*,?,_,~].*[a-zA-Z0-9])/))
{
intScore = (intScore+2)
}
I tried to post the javascript for a password checker but it wouldnt let me post it so I have made it available for download at
Password Strength Indicator Javascript
Open includes/javascript.php and paste the javascript underneath the closing ?> tag right at the bottom after everything else.
Next in modules/Your_Account/index.php find in the new_user function:
Thats it. Displays a meter underneath the password which shows the strength of the password and which changes as the user types it in. It wont prevent them from setting a weak password but will help them to choose a stronger one.
This is awesome. It works absolutely great in IE. One problem though: it seems not to work under Mozilla Firefox. It surely is the JavaScript's "fault". I know most of this forum's members are PHP guys and not JavaScript developers, so I won't insist on this topic. Still, if anybody can help, I'd appreciate it.
P.S. Sorry for my English. I'm not a native speaker
arnoldkrg Major
Joined: Aug 03, 2003
Posts: 937
Location: United Kingdom
Posted:
Fri May 05, 2006 4:46 am
For Firefox compatibility, in modules/Your_Account/index.php in the new_user function find:
Exquisite! Well, it now works under Mozilla FF, too! Good job. Keep it up!
sphynx Nuke Soldier
Joined: Mar 18, 2005
Posts: 10
Posted:
Fri May 05, 2006 12:38 pm
Well, although you provided me a good example of how to fulfill the task, I kept on searching on the net (no offense, I'm lind of curious) and I stumbled upon Microsoft's Password Strength Tester located here. I read the source, as I was more and more curious and found this script (cannot post as text, but the link is
here).
Can this be ported into the CNB Your Account module?
arnoldkrg Major
Joined: Aug 03, 2003
Posts: 937
Location: United Kingdom
Posted:
Sat May 06, 2006 4:46 am
Well the Microsoft Password Strength checker is far more complicated than the last one I reported. However, I have managed to port it for PHP-Nuke Your_Account. It needs an additional stylesheet which Microsoft kindly allowed me to download (not like them ). It is installed on the registration page at http://www.ulsoft.scarbridge.co.uk if anyone cares to check it out. The strength checking algorithms seem much more robust for this version than for the previous example.
The checker should be able to be ported for CNBYA quite simply.
_________________
sphynx Nuke Soldier
Joined: Mar 18, 2005
Posts: 10
Posted:
Sat May 06, 2006 4:59 am
I care . Could you share the code? Please?
arnoldkrg Major
Joined: Aug 03, 2003
Posts: 937
Location: United Kingdom
Posted:
Sat May 06, 2006 9:08 am
Download passwdcheck.js. Copy and paste the javascript to includes/javascript.php right underneath the closing ?> tag. That is underneath any existing code. Download passwdcheck.css and upload the complete file to themes/yourtheme/style and do this for each theme you have on your site.
Next in includes/custom_files/custom_head.php add the following above the final ?> tag:
The last two code changes will be made in modules/Your_Account/public/new_user1.php, new_user2.php and new_user3.php for CNBYA
_________________
sphynx Nuke Soldier
Joined: Mar 18, 2005
Posts: 10
Posted:
Sun May 07, 2006 12:12 am
Well, it works. I am curious if site admins would include the script from now on. It seems a good tool to me, and most important, would make users aware of the weakness/strength of their passwords. This is a concept people should get used to.
Well, this might be the last post in the topic. I want you to know that I appreciate your help and promptitude im solving this issue.
All the best,
Sphynx.
Dauthus Sergeant
Joined: Feb 12, 2003
Posts: 82
Location: USA
Posted:
Tue May 16, 2006 8:00 pm
Works perfectly, but for some reason it is almost hidden in my forums. Guess I will try and tweak the css and see what I come up with.
_________________ Vivere disce, cogita mori
TAC_Double Nuke Soldier
Joined: Nov 08, 2003
Posts: 11
Posted:
Tue Jan 23, 2007 11:29 am
Is there a wat to add this into 7.9? I do not have a file called custom_head.php or my_header.php. Would love to add this to my site
arnoldkrg Major
Joined: Aug 03, 2003
Posts: 937
Location: United Kingdom
Posted:
Sat Jan 27, 2007 2:57 am
Here is a blank custom_head.php. Make your mods in this file and upload to the includes/custom_files directory of your site.
Code:
<?php
/************************************************************************/
/* PHP-NUKE: Web Portal System */
/* =========================== */
/* */
/* Copyright (c) 2004 by Francisco Burzi */
/* http://phpnuke.org */
/* */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 2 of the License. */
/************************************************************************/
if (stristr(htmlentities($_SERVER['PHP_SELF']), "custom_head.php")) {
Header("Location: ../index.php");
die();
}
/*
This file is to customize whatever stuff you need to include in your site
when the header loads. This can be used for third party banners, custom
javascript, popup windows, etc. With this file you don't need to edit
system code each time you upgrade to a new version. Just remember, in case
you add code here to not overwrite this file when updating!
Whatever you put here will be between <head> and </head> tags.
*/
?>
A word of WARNING. The copy/paste process seems to add invisible blank characters to the ends of codelines. These MUST be removed using a decent text editor before uploading modified files to your site. I use Crimson Editor
_________________
TAC_Double Nuke Soldier
Joined: Nov 08, 2003
Posts: 11
Posted:
Sat Jan 27, 2007 6:06 am
Thanks for the code.... I will check it out tonight.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
). It is installed on the registration page at 
