Issue #777 has been updated by Clément OUDOT. Category set to Self Service Password Status changed from Assigned to Feedback Target version changed from self-service-password-0.9 to self-service-password-?
Bill, I do not agree with you. If you specify some requirements, they must be check, even if the complexity match. It's up to you to be coherent between the requirements and the number of classes you need. I you you require at least 1 lower, 1 upper and 1 digit, the complexity is automatically 3 classes of characters. What do you think ? ---------------------------------------- Bug #777: Self-Service-Password: Not honoring settings for password complexity. http://tools.lsc-project.org/issues/777 Author: Bill Graboyes Status: Feedback Priority: Normal Assigned to: Clément OUDOT Category: Self Service Password Target version: self-service-password-? Hi Folks, Love the product, I did however notice a bug. If the number of password requirements > number of character classes the requirements win. This is not the behavior that was expected. Looking through the code it looks as if the problem stems from the following lines of code in ./lib/functions.inc.php: <pre> function check_password_strength( $password, $oldpassword, $pwd_policy_config ) { extract( $pwd_policy_config ); --snip-- # Complexity: checks for lower, upper, special, digits if ( $pwd_complexity ) { $complex = 0; if ( $special > 0 ) { $complex++; } if ( $digit > 0 ) { $complex++; } if ( $lower > 0 ) { $complex++; } if ( $upper > 0 ) { $complex++; } if ( $complex < $pwd_complexity ) { $result="notcomplex"; } } # Minimal lenght if ( $pwd_min_length and $length < $pwd_min_length ) { $result="tooshort"; } # Maximal lenght if ( $pwd_max_length and $length > $pwd_max_length ) { $result="toobig"; } # Minimal lower chars if ( $pwd_min_lower and $lower < $pwd_min_lower ) { $result="minlower"; } # Minimal upper chars if ( $pwd_min_upper and $upper < $pwd_min_upper ) { $result="minupper"; } # Minimal digit chars if ( $pwd_min_digit and $digit < $pwd_min_digit ) { $result="mindigit"; } # Minimal special chars if ( $pwd_min_special and $special < $pwd_min_special ) { $result="minspecial"; } # Forbidden chars if ( $forbidden > 0 ) { $result="forbiddenchars"; } # Same as old password? if ( $pwd_no_reuse and $password === $oldpassword ) { $result="sameasold"; } return $result; } </pre> If I were to recommend a patch, since you are already calculating the the pwd_complexity it would probably go something like this: <pre> function check_password_strength( $password, $oldpassword, $pwd_policy_config ) { extract( $pwd_policy_config ); --snip-- # Complexity: checks for lower, upper, special, digits if ( $pwd_complexity ) { $complex = 0; if ( $special > 0 ) { $complex++; } if ( $digit > 0 ) { $complex++; } if ( $lower > 0 ) { $complex++; } if ( $upper > 0 ) { $complex++; } if ( $complex < $pwd_complexity ) { $result="notcomplex"; } } else { # Minimal lenght if ( $pwd_min_length and $length < $pwd_min_length ) { $result="tooshort"; } # Maximal lenght if ( $pwd_max_length and $length > $pwd_max_length ) { $result="toobig"; } # Minimal lower chars if ( $pwd_min_lower and $lower < $pwd_min_lower ) { $result="minlower"; } # Minimal upper chars if ( $pwd_min_upper and $upper < $pwd_min_upper ) { $result="minupper"; } # Minimal digit chars if ( $pwd_min_digit and $digit < $pwd_min_digit ) { $result="mindigit"; } # Minimal special chars if ( $pwd_min_special and $special < $pwd_min_special ) { $result="minspecial"; } } # Forbidden chars if ( $forbidden > 0 ) { $result="forbiddenchars"; } # Same as old password? if ( $pwd_no_reuse and $password === $oldpassword ) { $result="sameasold"; } return $result; } </pre> Thanks, tc3driver -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
_______________________________________________ ltb-dev mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-dev
