Thanks guys for the input and for others who *hijacked* my thread. :-)
I wrote my own JS if anyone needs it.
<!--- Mar 9, 2009. Ajas. CF validation didnt work, so i had to write my own
javascript validation --->
<script language="javascript">
function validatePwd(newPwd) {
var regPattern = /^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$/;
if (regPattern.test(newPwd)) {
//alert("Sucess.");
}
else {
alert("Failure. Your password is not strong. Your password
should be atleast 8 characters long, consisting of one Upper case and one
Lower case and one Number.");
return false;
}
}
</script>
This is called from <input type="submit" value="Submit" onclick="return
validatePwd(this.form.new_password.value);">
HTH.Maybe some day when I have time, I will fight with CF to see why it
could not detect user corrected entry and it needs to check against the new
input value.
<Ajas Mohammed />
http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high intention,
sincere effort, intelligent direction and skillful execution; it represents
the wise choice of many alternatives.
On Mon, Mar 9, 2009 at 1:14 PM, Teddy R. Payne <[email protected]>wrote:
> Ajas,
> Allow me to caveat here and say that I am all for ColdFusion solutioning
> whenever I can solve a problem, but in some cases you need need to just roll
> your own validation.
>
> If you really have a good amount business rules that may surround a given
> form field, I would say that I would recommend implementing something that
> you "roll" yourn own JS validator or seek a JS library that may solve this
> for you already.
>
> Also, as in other discussion threads, this validator is really a service to
> your user to help them choose a "stronger" password. Error messages and
> custom graphics to say "Weak", "Medium" or "Strong" are common on sites like
> Yahoo or Google. This is just your first level of consideration.
>
> When validating a custom password, you may have client side, server side,
> password encryption, the security of the transport of this password and
> programmatically not passing passwords whenever you can help it. These are
> just a few of the ideas that you can touch on that surround passwords.
>
> Now CF supports most of these ideas, but you may have to also leverage
> supporting technologies, but CF allows you to collaborate with them.
>
>
> Teddy R. Payne, ACCFD
> Google Talk - [email protected]
>
>
>
> On Mon, Mar 9, 2009 at 12:58 PM, Shane <[email protected]> wrote:
>
>> Sorry Ajas!
>>
>> I'll try to look at your code this afternoon.
>>
>> Shane
>>
>> ------------------------------
>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Ajas
>> Mohammed
>> *Sent:* Monday, March 09, 2009 11:56 AM
>>
>> *To:* [email protected]
>> *Subject:* Re: [ACFUG Discuss] Password CFinput regular expression -
>> throws alert/error after correction also
>>
>> Thanks guys, but again, does anyone know why CF Validation doesnt see
>> that user has altered text in password box and it needs to run validation
>> again for new input?
>>
>> <Ajas Mohammed />
>> http://ajashadi.blogspot.com
>> We cannot become what we need to be, remaining what we are.
>> No matter what, find a way. Because thats what winners do.
>> You can't improve what you don't measure.
>> Quality is never an accident; it is always the result of high intention,
>> sincere effort, intelligent direction and skillful execution; it represents
>> the wise choice of many alternatives.
>>
>>
>> On Mon, Mar 9, 2009 at 12:39 PM, Shane <[email protected]> wrote:
>>
>>> It was an intranet. Going with 20 I knew I didn't have to worry about
>>> the
>>> password layer and the users didn't mind (after the first shock). The
>>> company only had 140 employees. I agree for many companies / scenarios
>>> it
>>> wouldn't work.
>>>
>>> -----Original Message-----
>>> From: [email protected] [mailto:[email protected]] On Behalf Of Dean H. Saxe
>>> Sent: Monday, March 09, 2009 11:35 AM
>>> To: [email protected]
>>> Subject: Re: [ACFUG Discuss] Password CFinput regular expression - throws
>>> alert/error after correction also
>>>
>>> That policy wouldn't fly in the real world for most apps. And if you go
>>> that far... I'd just find other avenues of attack.
>>>
>>> If you think you need such strong passwords, you're better off going to
>>> an
>>> RSA token or one time pad type of authentication system.
>>>
>>> -dhs
>>>
>>>
>>> Dean H. Saxe, CISSP, CEH
>>> [email protected]
>>> "[T]he people can always be brought to the bidding of the leaders.
>>> This is easy. All you have to do is to tell them they are being attacked,
>>> and denounce the pacifists for lack of patriotism and exposing the
>>> country
>>> to danger. It works the same in every country."
>>> --Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials
>>>
>>>
>>>
>>> On Mar 9, 2009, at 12:30 PM, Shane wrote:
>>>
>>> > Brute force.
>>> >
>>> > Mathematically - 20 chars is overkill. But using 20 chars pretty much
>>> > ensures the user cannot pick a weak phrase. I agree 15 should be more
>>> > than adequate. But I have enforced 20 chars at one location - and
>>> > after the initial grumbling the users told me they didn't mind much
>>> > since they could use an easily remembered phrase. I also let them go
>>> > 6 months between password changes. Again it's all a balancing act but
>>> > I would rather them have it six months in their head verses 1 month on
>>> > their monitor.
>>> >
>>> > I know there are other considerations when it comes to password
>>> > expiration but.......
>>> >
>>> >
>>> >
>>> > -----Original Message-----
>>> > From: [email protected] [mailto:[email protected]] On Behalf Of Dean H.
>>> > Saxe
>>> > Sent: Monday, March 09, 2009 11:22 AM
>>> > To: [email protected]
>>> > Subject: Re: [ACFUG Discuss] Password CFinput regular expression -
>>> > throws alert/error after correction also
>>> >
>>> > But when you say cracking, you'd have to have the password hashes to
>>> > crack.
>>> > And if they are salted hashes then you are FUBAR, there are no rainbow
>>> > tables for that.
>>> >
>>> > Now, if you're talking brute force attacks, its a different story.
>>> > And that's why a lockout policy is important.
>>> >
>>> > Finally, a 20 character minimum for a passphrase is ridiculous. If
>>> > you just consider 52 chars (upper/lower, no spaces or punctuation) a
>>> > 15 character passphrase has 5.5 X 10^25 values. Your aforementioned
>>> > password poliicy (8 chars, at least 1 numeric) has a minimum
>>> > complexity of 52^7*10 or 1.0 X 10^13, significantly lower than the 15
>>> > character passphrase. So... what kind of complexity are you really
>>> > looking to enforce?
>>> >
>>> > -dhs
>>> >
>>> >
>>> > Dean H. Saxe, CISSP, CEH
>>> > [email protected]
>>> > "I have always strenuously supported the right of every man to his own
>>> > opinion, however different that opinion might be to mine. He who
>>> > denies another this right makes a slave of himself to his present
>>> > opinion, because he precludes himself the right of changing it."
>>> > -- Thomas Paine, 1783
>>> >
>>> >
>>> > On Mar 9, 2009, at 12:08 PM, Shane wrote:
>>> >
>>> >> I agree that users do choose poor passwords. But even using an
>>> >> extended character set you see them choose passwords like "T!mmy".
>>> >> From a cracker's point of view there is little difference between
>>> >> Timmy and T!mmy.
>>> >>
>>> >> I definitely agree that long pass phrases are best all around - even
>>> >> using words. Set the min length at 20 and let the user choose
>>> >> whatever they want.
>>> >>
>>> >> I just brought up the point because I have seen more than one
>>> >> website, including my bank, that forces an extended char set but
>>> >> limits the password length to a MAX of 8 characters. Yeesh.
>>> >>
>>> >> Security in layers - everything is a compromise.
>>> >>
>>> >> Shane Heasley
>>> >> www.CTek-Media.com <http://www.ctek-media.com/>
>>> >>
>>> >> -----Original Message-----
>>> >> From: [email protected] [mailto:[email protected]] On Behalf Of Dean H.
>>> >> Saxe
>>> >> Sent: Monday, March 09, 2009 10:54 AM
>>> >> To: [email protected]
>>> >> Subject: Re: [ACFUG Discuss] Password CFinput regular expression -
>>> >> throws alert/error after correction also
>>> >>
>>> >> I'm not sure I totally agree with you.
>>> >>
>>> >> Yes, the math is not good when you force character sets like this,
>>> >> but the reality is that users choose bad passwords.
>>> >> http://www.schneier.com/essay-144.html
>>> >> The enforcement of complex passwords improves overall complexity for
>>> >> most users.
>>> >>
>>> >> From the social engineering side, you are right, users may write down
>>> >> their passwords. But you'd have to find the password to break in, as
>>> >> opposed to guessing the password from a large, complex pool. So its
>>> >> a balancing act.
>>> >>
>>> >> My suggestion is the use of passphrases such as "yellow polkadot
>>> >> pancakes".
>>> >> You trade length for complexity but increase the ability of
>>> >> memorization.
>>> >> If you then add in some kind of special characters or "leet speak"
>>> >> the
>>> >> passwords are extremely difficult to guess or break.
>>> >>
>>> >> Finally, all of this is useless if you allow the passwords to be
>>> >> recovered or you don't enforce server-side lockouts to slow/stop
>>> >> brute force attacks against passwords. There's a lot more to do than
>>> >> just enforce good passwords if you want to have a secure
>>> >> authentication system.
>>> >>
>>> >> -dhs
>>> >>
>>> >>
>>> >> Dean H. Saxe, CISSP, CEH
>>> >> [email protected]
>>> >> "What is objectionable, what is dangerous about extremists is not
>>> >> that they are extreme, but that they are intolerant."
>>> >> -- Robert F. Kennedy, 1964
>>> >>
>>> >>
>>> >> On Mar 9, 2009, at 11:46 AM, Shane wrote:
>>> >>
>>> >>> This is off topic - but I thought I would throw it in for free:
>>> >>>
>>> >>> Forcing an extended character set (upper case, numbers, special
>>> >>> characters) on the user frequently does not lead to good security.
>>> >>>
>>> >>> First, from the mathematical side, the length of the password has
>>> >>> much more bearing on how difficult it is to crack than the added
>>> >>> complexity gained from using an extended character set. So
>>> >>> sliggyfiverbotgar is much harder to crack than ^%tgYh. As a
>>> >>> practical matter, passwords longer than 10 characters are not
>>> >>> generally breakable - even when composed of mostly English words.
>>> >>> Each extra character adds so many permutations that you need to be
>>> >>> the NSA to brute force longer passwords.
>>> >>>
>>> >>> On the social engineering side. If you force average users to use
>>> >>> an extended character set they have a hard time remembering them.
>>> >>> If they can't easily remember them they write them down and all too
>>> >>> frequently post them next to their monitor. It's all a balancing
>>> >>> act
>>> >>> - and it varies by situation. I usually go for what you have -
>>> >>> minimum of 8 characters, with at least one number. Sometimes I
>>> >>> require mixed case also. I don't force special characters as that
>>> >>> tends to make too many users write down their passwords.
>>> >>> From: [email protected] [mailto:[email protected]] On Behalf Of Ajas
>>> >>> Mohammed
>>> >>> Sent: Monday, March 09, 2009 10:28 AM
>>> >>> To: [email protected]
>>> >>> Subject: [ACFUG Discuss] Password CFinput regular expression -
>>> >>> throws alert/error after correction also
>>> >>>
>>> >>> Hi there,
>>> >>>
>>> >>> I have this code which checks if password is strong i.e. atleast 8
>>> >>> characters long, consiting of one Upper case and one Lower case and
>>> >>> one Number.and if not alerts the user about it. I am using a regular
>>> >>> expression to do this as u can see from code below. The problem is
>>> >>> that once the alert is displayed, even if the user corrects the
>>> >>> error and enters a strong password, the error alert does not go
>>> >>> away. For example, if i entered password for the first time, then
>>> >>> obviously I will get alert saying password is not strong. Then,
>>> >>> afterwards if i correct password to be lets say Leave1234 which is 9
>>> >>> chars, has one uppper case, one lower case and has a number also, I
>>> >>> still end up getting password not strong message. I tried removing
>>> >>> onBlur,OnSubmit one at a time but doesnt work.
>>> >>>
>>> >>> Any ideas????
>>> >>>
>>> >>> Here is the code
>>> >>>
>>> >>> New Password:
>>> >>> <!--- some possible regular expressions i used new_password --->
>>> >>> <!--- ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$ or --->
>>> >>> <cfinput type="password" name="new_password"
>>> >>> validate="regular_expression" pattern="^(?=.*\d)(?=.*[a-z])(?=.*[A-
>>> >>> Z]).{8,}$" validateat="onBlur,onSubmit,onServer" message="Your
>>> >>> password is not strong. Your password should be atleast 8 characters
>>> >>> long, consiting of one Upper case and one Lower case and one
>>> >>> Number."
>>> >>>>
>>> >>>
>>> >>> <Ajas Mohammed />
>>> >>> http://ajashadi.blogspot.com
>>> >>> We cannot become what we need to be, remaining what we are.
>>> >>> No matter what, find a way. Because thats what winners do.
>>> >>> You can't improve what you don't measure.
>>> >>> Quality is never an accident; it is always the result of high
>>> >>> intention, sincere effort, intelligent direction and skillful
>>> >>> execution; it represents the wise choice of many alternatives.
>>> >>> No virus found in this incoming message.
>>> >>> Checked by AVG - www.avg.com
>>> >>> Version: 8.0.237 / Virus Database: 270.11.9/1990 - Release Date:
>>> >>> 03/08/09 17:17:00
>>> >>>
>>> >>>
>>> >>> -------------------------------------------------------------
>>> >>> To unsubscribe from this list, manage your profile @
>>> >>> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform>
>>> >>>
>>> >>> For more info, see http://www.acfug.org/mailinglists Archive @
>>> >>> http://www.mail-archive.com/discussion%40acfug.org/
>>> >>> List hosted by FusionLink
>>> >>> -------------------------------------------------------------
>>> >>
>>> >>
>>> >>
>>> >> -------------------------------------------------------------
>>> >> To unsubscribe from this list, manage your profile @
>>> >> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform>
>>> >>
>>> >> For more info, see http://www.acfug.org/mailinglists Archive @
>>> >> http://www.mail-archive.com/discussion%40acfug.org/
>>> >> List hosted by http://www.fusionlink.com
>>> >> -------------------------------------------------------------
>>> >>
>>> >>
>>> >>
>>> >> No virus found in this incoming message.
>>> >> Checked by AVG - www.avg.com
>>> >> Version: 8.0.237 / Virus Database: 270.11.9/1990 - Release Date:
>>> >> 03/08/09
>>> >> 17:17:00
>>> >>
>>> >>
>>> >>
>>> >> -------------------------------------------------------------
>>> >> To unsubscribe from this list, manage your profile @
>>> >> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform>
>>> >>
>>> >> For more info, see http://www.acfug.org/mailinglists Archive @
>>> >> http://www.mail-archive.com/discussion%40acfug.org/
>>> >> List hosted by http://www.fusionlink.com
>>> >> -------------------------------------------------------------
>>> >>
>>> >>
>>> >>
>>> >
>>> >
>>> >
>>> > -------------------------------------------------------------
>>> > To unsubscribe from this list, manage your profile @
>>> > http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform>
>>> >
>>> > For more info, see http://www.acfug.org/mailinglists Archive @
>>> > http://www.mail-archive.com/discussion%40acfug.org/
>>> > List hosted by http://www.fusionlink.com
>>> > -------------------------------------------------------------
>>> >
>>> >
>>> >
>>> > No virus found in this incoming message.
>>> > Checked by AVG - www.avg.com
>>> > Version: 8.0.237 / Virus Database: 270.11.9/1990 - Release Date:
>>> > 03/08/09
>>> > 17:17:00
>>> >
>>> >
>>> >
>>> > -------------------------------------------------------------
>>> > To unsubscribe from this list, manage your profile @
>>> > http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform>
>>> >
>>> > For more info, see http://www.acfug.org/mailinglists Archive @
>>> > http://www.mail-archive.com/discussion%40acfug.org/
>>> > List hosted by http://www.fusionlink.com
>>> > -------------------------------------------------------------
>>> >
>>> >
>>> >
>>>
>>>
>>>
>>> -------------------------------------------------------------
>>> To unsubscribe from this list, manage your profile @
>>> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform>
>>>
>>> For more info, see http://www.acfug.org/mailinglists Archive @
>>> http://www.mail-archive.com/discussion%40acfug.org/
>>> List hosted by http://www.fusionlink.com
>>> -------------------------------------------------------------
>>>
>>>
>>>
>>> No virus found in this incoming message.
>>> Checked by AVG - www.avg.com
>>> Version: 8.0.237 / Virus Database: 270.11.9/1990 - Release Date: 03/08/09
>>> 17:17:00
>>>
>>>
>>>
>>> -------------------------------------------------------------
>>> To unsubscribe from this list, manage your profile @
>>> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform>
>>>
>>> For more info, see http://www.acfug.org/mailinglists
>>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
>>> List hosted by http://www.fusionlink.com
>>> -------------------------------------------------------------
>>>
>>>
>>>
>>>
>> No virus found in this incoming message.
>> Checked by AVG - www.avg.com
>> Version: 8.0.237 / Virus Database: 270.11.9/1990 - Release Date: 03/08/09
>> 17:17:00
>>
>> -------------------------------------------------------------
>> To unsubscribe from this list, manage your profile @
>> http://www.acfug.org?fa=login.edituserform<http://www.acfug.org/?fa=login.edituserform>
>>
>> For more info, see http://www.acfug.org/mailinglists
>> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
>> List hosted by FusionLink <http://www.fusionlink.com/>
>> -------------------------------------------------------------
>>
>
>
