Issue #777 has been updated by Clément OUDOT.
Ronan Lanore wrote: > I share the idea of Bill Graboyes > You can set a password with ( for example ) > > Minimum length ( mandatory ) > > Min lower > Min upper > Min digit > Min special > > Password must required 3 of previous character class but not all of them. > > The feature to add to SSP is the mandatory / optional to each character class I don't understand, because if you set 0 for example to min lower, it will then be optional. What is missing here? ---------------------------------------- Bug #777: Self-Service-Password: Not honoring settings for password complexity. http://tools.lsc-project.org/issues/777 Author: Bill Graboyes Status: Feedback Priority: Normal Assigned to: Clément OUDOT Category: Self Service Password Target version: self-service-password-? Hi Folks, Love the product, I did however notice a bug. If the number of password requirements > number of character classes the requirements win. This is not the behavior that was expected. Looking through the code it looks as if the problem stems from the following lines of code in ./lib/functions.inc.php: <pre> function check_password_strength( $password, $oldpassword, $pwd_policy_config ) { extract( $pwd_policy_config ); --snip-- # Complexity: checks for lower, upper, special, digits if ( $pwd_complexity ) { $complex = 0; if ( $special > 0 ) { $complex++; } if ( $digit > 0 ) { $complex++; } if ( $lower > 0 ) { $complex++; } if ( $upper > 0 ) { $complex++; } if ( $complex < $pwd_complexity ) { $result="notcomplex"; } } # Minimal lenght if ( $pwd_min_length and $length < $pwd_min_length ) { $result="tooshort"; } # Maximal lenght if ( $pwd_max_length and $length > $pwd_max_length ) { $result="toobig"; } # Minimal lower chars if ( $pwd_min_lower and $lower < $pwd_min_lower ) { $result="minlower"; } # Minimal upper chars if ( $pwd_min_upper and $upper < $pwd_min_upper ) { $result="minupper"; } # Minimal digit chars if ( $pwd_min_digit and $digit < $pwd_min_digit ) { $result="mindigit"; } # Minimal special chars if ( $pwd_min_special and $special < $pwd_min_special ) { $result="minspecial"; } # Forbidden chars if ( $forbidden > 0 ) { $result="forbiddenchars"; } # Same as old password? if ( $pwd_no_reuse and $password === $oldpassword ) { $result="sameasold"; } return $result; } </pre> If I were to recommend a patch, since you are already calculating the the pwd_complexity it would probably go something like this: <pre> function check_password_strength( $password, $oldpassword, $pwd_policy_config ) { extract( $pwd_policy_config ); --snip-- # Complexity: checks for lower, upper, special, digits if ( $pwd_complexity ) { $complex = 0; if ( $special > 0 ) { $complex++; } if ( $digit > 0 ) { $complex++; } if ( $lower > 0 ) { $complex++; } if ( $upper > 0 ) { $complex++; } if ( $complex < $pwd_complexity ) { $result="notcomplex"; } } else { # Minimal lenght if ( $pwd_min_length and $length < $pwd_min_length ) { $result="tooshort"; } # Maximal lenght if ( $pwd_max_length and $length > $pwd_max_length ) { $result="toobig"; } # Minimal lower chars if ( $pwd_min_lower and $lower < $pwd_min_lower ) { $result="minlower"; } # Minimal upper chars if ( $pwd_min_upper and $upper < $pwd_min_upper ) { $result="minupper"; } # Minimal digit chars if ( $pwd_min_digit and $digit < $pwd_min_digit ) { $result="mindigit"; } # Minimal special chars if ( $pwd_min_special and $special < $pwd_min_special ) { $result="minspecial"; } } # Forbidden chars if ( $forbidden > 0 ) { $result="forbiddenchars"; } # Same as old password? if ( $pwd_no_reuse and $password === $oldpassword ) { $result="sameasold"; } return $result; } </pre> Thanks, tc3driver -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
_______________________________________________ ltb-dev mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-dev
