Hi there,
I have this code which checks if password is strong i.e. atleast 8
characters long, consiting of one Upper case and one Lower case and one
Number.and if not alerts the user about it. I am using a regular expression
to do this as u can see from code below. The problem is that once the
This is off topic - but I thought I would throw it in for free:
Forcing an extended character set (upper case, numbers, special characters)
on the user frequently does not lead to good security.
First, from the mathematical side, the length of the password has much more
bearing on how
Ajas,
IIRC cfinput will always use a hidden form field on the client to
force server side validation. If that's still the case (again, I
believe it is) this can be easily bypassed. (No, that doesn't solve
your issue, but it moves the problem elsewhere.)
-dhs
Dean H. Saxe, CISSP, CEH
I'm not sure I totally agree with you.
Yes, the math is not good when you force character sets like this, but
the reality is that users choose bad passwords. http://www.schneier.com/essay-144.html
The enforcement of complex passwords improves overall complexity
for most users.
From the
I agree that users do choose poor passwords. But even using an extended
character set you see them choose passwords like T!mmy. From a cracker's
point of view there is little difference between Timmy and T!mmy.
I definitely agree that long pass phrases are best all around - even using
words. Set
On Mon, Mar 9, 2009 at 12:08 PM, Shane studio...@gmail.com wrote:
I just brought up the point because I have seen more than one website,
including my bank, that forces an extended char set but limits the password
length to a MAX of 8 characters. Yeesh.
Yes, during my last password change
But when you say cracking, you'd have to have the password hashes to
crack. And if they are salted hashes then you are FUBAR, there are no
rainbow tables for that.
Now, if you're talking brute force attacks, its a different story.
And that's why a lockout policy is important.
Finally,
It was an intranet. Going with 20 I knew I didn't have to worry about the
password layer and the users didn't mind (after the first shock). The
company only had 140 employees. I agree for many companies / scenarios it
wouldn't work.
-Original Message-
From: ad...@acfug.org
I kept bugging my credit union about it. They ignored me until I finally
received an email from the webmaster telling me not to worry - he was a
professional and knew what was best
-Original Message-
From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Cameron
Childress
Sent:
Thanks guys, but again, does anyone know why CF Validation doesnt see that
user has altered text in password box and it needs to run validation again
for new input?
Ajas Mohammed /
http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way.
Sorry Ajas!
I'll try to look at your code this afternoon.
Shane
_
From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Ajas Mohammed
Sent: Monday, March 09, 2009 11:56 AM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] Password CFinput regular expression - throws
On Mon, Mar 9, 2009 at 12:55 PM, Ajas Mohammed ajash...@gmail.com wrote:
Thanks guys, but again, does anyone know why CF Validation doesnt see that
user has altered text in password box and it needs to run validation again
for new input?
We hijacked your thread Ajas! :)
For my part, I'm not
Ajas,
Allow me to caveat here and say that I am all for ColdFusion solutioning
whenever I can solve a problem, but in some cases you need need to just roll
your own validation.
If you really have a good amount business rules that may surround a given
form field, I would say that I would recommend
Many thanks Charlie. I just got in the office and read this. Honestly I have
been out of the ACFUG loop for a bit and completely forgot about these
resources. So I will give this some loving :-) ...
My other thought would be ask if you think it would be ok to just use the
files themselves as the
Thanks guys for the input and for others who *hijacked* my thread. :-)
I wrote my own JS if anyone needs it.
!--- Mar 9, 2009. Ajas. CF validation didnt work, so i had to write my own
javascript validation ---
script language=javascript
function validatePwd(newPwd) {
var
: My other thought would be
ask if you think it would be ok to just use
the: files themselves as the database
rather than import and use MS SQL. This way:
the files could just be uploaded to
the server and overwritten when they need:
to be updated. There are basically
5 files with some
My happniess was for a very short time. For some reason, IE 7, returns false
even though pwd is strong for this condition (regPattern.test(newPwd)). It
works fine in firefox i.e. condition returns true for strong pwd and so on.
I used Leave1234 as an example pwd.
Any idea why this is happening
: IIRC cfinput will always use a hidden form field on the client to
: force server side validation.
Dean is right:
cfif isdefined(form)
cfdump var=#form# show=MyNumber
/cfif
cfform name=cfformtest
cfinput type=Text validate=integer validateat=OnServer name=MyNumber
cfinput type=Submit
Ajas,
You might want to try doing a web searching:
http://blog.stevenlevithan.com/archives/regex-lookahead-bug
I found this within two searches that may give you some insight that IE and
the RegEx engine have some issues and the example above addresses a password
RegEx specifically.
Teddy
Thanks again. I tried the approach below which was recommended on cf411.com.
It works as long as the file extension is .txt. When using the .csv
extension, it throws an error Variable onerow does not exist.
I am fine with just using the .txt extention but if anyone has any clue why
or how I could
Thanks Teddy,
Appreciate it.
Sorry, but I was so under so much pressure, that I didn't think of
searching even once.
Thanks again.
Ajas Mohammed /
http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners
Not a problem, Ajas. It happens and it will probably happen again to any
one of us.
Happy Coding,
T
Tangent off the RegEx dialog. Ryan Swanson (ATL local) wrote a Flex Reg Ex
explorer. I know it's not specifically for CF, but it's a nice way to
experiment.
http://ryanswanson.com/regexp/
On Mon, Mar 9, 2009 at 3:02 PM, Ajas Mohammed ajash...@gmail.com wrote:
My happniess was for a very
By email if you mean that you're looking to host the domain's email at the
same place, I'd suggest instead that you use Google Apps for the email. Free
for under 25 accounts per domain, easy, and if your webhost happens to go
down for technical reasons, you still have your email.
How much traffic will you be having on this site? My servers serve as a
host to a variety of sites, most of them being job boards and some
non-profit sites. We also handle email and we don't charge additional costs
for emails; just a lump sum hosting fee. Contact me at 770-205-1881 if you
want
Ajas, I tried your code and things worked as expected on both FF and Chrome
on CF 7 and 8, but on IE (7), the regex would not work even if a correct
value was entered the first time, so this is not about that once the alert
is displayed, even if the user corrects the error and enters a strong
Oh sure, Dusty. The first part of my note wasn't written to you, but to
others on the list who were kindly chiming in with other solutions. I'm not
knocking those attempts at all. I'm just saying that the 700+ tools and
resources on the list are there for this very reason, to help people find
Dusty, I wonder if your problem isn't a CF one, but a web server one. I'd
bet when you try to retrieve the file as a CSV, the web server steps in and
changes the mime type to something other than plain text, and therefore CF
(and the CFHTTP) gets something other than what they expected.
(BTW,
Peyton, I have a generic answer and a specific recommendation.
First, I’ll point out that you can find dozens of alternative CF hosts listed
at:
ColdFusion Hosting Alternatives
http://www.cf411.com/#cfhost
This is one of a hundred-plus categories of resources and tools of interest
Thanks Charlie,
As always, your advice is very useful and much appreciated. :-)
Thanks Mate ;-)
Ajas Mohammed /
http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't
I will second EdgeWeb. They're a client of ours as well, and aside
from having an amazing datacenter, they're just good people.
ap
On Mar 9, 2009, at 7:01 PM, Charlie Arehart wrote:
Peyton, I have a generic answer and a specific recommendation.
First, I’ll point out that you can find
We recommend Edgeweb to all of our customers and host all of Figleaf's
sites and google GSA cluster there as well.
Vlad Friedman is great to work with.
Sent from my iPhone
On Mar 9, 2009, at 7:12 PM, Andrew Powell phi1...@gmail.com wrote:
I will second EdgeWeb. They're a client of ours as
Hi Charlie,
Sorry for my ignorance, but what's the difference between shared an dedicated
hosting?
Peyton
- Original Message -
From: Charlie Arehart char...@carehart.org
To: discussion@acfug.org
Sent: Monday, March 9, 2009 7:01:37 PM GMT -05:00 US/Canada Eastern
Subject: RE:
33 matches
Mail list logo