Validating Passwords 1

[jl8789]

Can anyone solve or point me to where I can find help with some password validations such as the following?

- Passwords will contain at least one number or special character in other than the first or last position.
- The same character will not occur in three consecutive positions in the password.
- Passwords will not be a repeat of the USERID.
- Passwords will differ from the USERID by at least three positions.
- The new password will differ from the previous password by at least two positions.
- Passwords will be case sensitive.

*Password will be at least 6 chars, and the USERID is 6 characters

Any Help is Greatly Appreciated!
Thanks!

 

[kaht]

You work for SBC, eh?

-kaht

How much you wanna make a bet I can throw a football over them mountains?

 

[BabyJeffy]

I'd suggest searching for a script using google or yahoo. Tek-tips is not designed as a coding shop for your problems.

You already have a well thought-out list of requirements that describe how the script will work. If you find yourself stuck on some part of your code, by all means post a question with the specifics.

Cheers,
Jeff

[tt]Jeff's Page [/tt][tt]@[/tt][tt] Code Couch

http://www.codecouch.com/jeff/

[/tt]

What is Javascript? faq216-6094

 

[jl8789]

Ok, so I was being lazy. Sorry. I thought someone may have done this already so that I could re-use. No big deal, I am a big boy and can code my own things. Sorry for asking for the easy way out.

P.S. kaht, yes you are correct. How did you know or find out?

 

[kaht]

How did you know or find out?

Cause I wrote the exact same password validation script about 2 years ago for the vacation planner/tracker we provide for SBC and it had to have the same conditions.

-kaht

How much you wanna make a bet I can throw a football over them mountains?

 

[trollacious]

Nothing like duplicating efforts, huh?

Lee

 

[jl8789]

So, do you still have it!? Was it in Cold Fusion or Java Script? Anything you have would REALLY help. You know how everything gets at the end of the year. Tons of things to finish in no time to do it ( Whatever you can provide, thanks. If not, no problem I understand you are probably busy too and I can work through it. You still with SBC?

 

[kaht]

Although I agree with Jeff about people doing their own work and only using tek-tips for assistance, it's no skin off my back to copy/paste what I've already written. Keep in mind that this is old code, and not written to be cross-browser compatible (as SBC only uses IE, which I'm sure you already know), so it doesn't use document.getElementById or document.forms["formname"].elements["elementname"] to access the form elements.

suitsid was the userid field
PWD1 was the first password field
PWD2 was the confirmation password field

Oh, and I'm pretty sure we threw that alphanumeric check in ourselves for this application. I'm pretty sure that's not SBC standard.

function passChangeValidate() {
   frmPassChange.PWD1.value = frmPassChange.PWD1.value.toUpperCase();
   frmPassChange.PWD2.value = frmPassChange.PWD2.value.toUpperCase();
   var pwd1 = frmPassChange.PWD1.value;
   var pwd2 = frmPassChange.PWD2.value;
   var suitsid = frmPassChange.suitsid.value.toUpperCase();
   if (pwd1 != pwd2) { //ensure both passwords match.... once past this check you no longer need to check both password fields, one should be sufficient for subsequent checks
      return clearFields("*** Invalid Password ***\n\nPasswords did not match.\n\nPlease retype both passwords.");
   }
   if (pwd1 == "") {
      return clearFields("*** Invalid Password ***\n\nPasswords cannot be left blank.");
   }
   if (pwd1 == suitsid) {
      return clearFields("*** Invalid Password ***\n\nPasswords cannot be the same as your SuitsID.");
   }
   if (!(/^[A-Z0-9]+$/).test(pwd1)) {
      return clearFields("*** Invalid Password ***\n\nPassword fields can contain only alpha-numeric characters: A-Z and 0-9");
   }
   if (pwd1.length < 6) {
      return clearFields("*** Invalid Password ***\n\nPassword must be at least 6 characters in length.");
   }
   if(pwd1.match(/([A-Z0-9])\1\1/)) {
      return clearFields("*** Invalid Password ***\n\nPassword cannot have the same character in 3 or more consecutive positions.");
   }
   if(!(pwd1.substr(1, pwd1.length-2).match(/\d/))) {
      return clearFields("*** Invalid Password ***\n\nPassword must contain at least one numeric character\nin other than the first or last position.");
   }
   if((pwd1.indexOf(suitsid.substr(0, 4)) != -1) || (pwd1.indexOf(suitsid.substr(1, 4)) != -1) || (pwd1.indexOf(suitsid.substr(2, 4)) != -1)) {
      return clearFields("*** Invalid Password ***\n\nPassword must differ from the SuitsID by at least three positions.");
   }
   frmPassChange.pwd.value = frmPassChange.PWD1.value;
   return true;
}

function clearFields(str) {
   alert(str);
   frmPassChange.PWD1.value = "";
   frmPassChange.PWD2.value = "";
   frmPassChange.PWD1.focus();
   return false;
}

-kaht

How much you wanna make a bet I can throw a football over them mountains?

 

[kaht]

I work for a company contracted by SBC - Millenium Software. We maintain payroll and vacation for service representatives at SBC, so I'm guessing you probably haven't used our programs unless you're a super-representative They don't usually do much programming.

-kaht

How much you wanna make a bet I can throw a football over them mountains?

 

[jl8789]

Thanks Kaht. I will play with and see how this works out. I am actually trying to do a million things at once so I'm not sure when I'll get to it. I was just hoping to get some people's response to my question before I got there. Looks like it may have really worked!! Thanks.

 

[kaht]

You're very welcome, hope it helps

-kaht

How much you wanna make a bet I can throw a football over them mountains?

 

[jl8789]

Shoot. I can't do all of this on the client since there is a Forgot Your Password? link. There we are asking to enter last 4 of SSN and the new password and confirmation password. So I'll need to do all this once info gets sent to the server using cold fusion. I could use this on the change password page, but to be consistent I'll have to just use the server-side validation for both cases. This may help layout my function though, thanks!

 

[jl8789]

I need help having this explained to me.
What exactly are we doing here to see if the new string is different from the user id by 3 positions? I need to do this with cold fusion. Problem is, I'm not sure what exactly indexOf etc is doing. It looks like you may be seeing if the first 3 positions are differing from the user id, but what about the tail end?

Any help is appreciated, thanks!

if((pwd1.indexOf(suitsid.substr(0, 4)) != -1) || (pwd1.indexOf(suitsid.substr(1, 4)) != -1) || (pwd1.indexOf(suitsid.substr(2, 4)) != -1)) {
return clearFields("*** Invalid Password ***\n\nPassword must differ from the SuitsID by at least three positions.");

 

[jl8789]

Now I see what you are checking. If the user id is xx1234, basically it's looking to see if xx12, x123, or 1234 is in the new password. Still not sure how it's checking it against the new password though.

 

[jl8789]

Ok, figured out all that stuff. And here was the solution to making sure old is diff from new by at least 2 positions.

<!--- Passwords will differ from the old password by at least two positions.--->
<cfset end = Len(arguments.password1)>
<cfset count = 0>
<cfloop from="1" to="#end#" index="i">
<cfset substr = Mid(#arguments.oldpassword#,#i#,1)>
<cfset substr1 = Mid(#arguments.password1#,#i#,1)>

<cfif CompareNoCase(substr,substr1)>
<cfset count = count + 1>
</cfif>
</cfloop>

<cfif NOT (count gte 2)>
<cfreturn "Passwords must differ from the old password by at least two positions.">
</cfif>

 

[kaht]

I coded to ensure that the password differed from the suitsid by at least 2 positions in my script, not the previous password. The previous password bit I think I did server side because I didn't want to pull it into a form element client side (for caching purposes). The script that I wrote for the suitsid check was supposed to make sure that the suitsid didn't exist in the password (it seems like I did 4 positions instead of 3 though.....) We'll take the first part of the if condition:

pwd1.indexOf(suitsid.substr(0, 4)) != -1

This checks the first 4 characters of your suitsid starting at position 1 (and like I said I think that should probably be amended to 3 characters instead of 4, but we'll just go with 4 for now). I'll take a wild stab in the dark and guess your suitsid is JL8789, (that being the case, how much are they paying you up there in milwaukee? )

The first part of the if conditional above will take the substring from your suitsid JL87 and then checks the password field for the indexOf that substring. (meaning it will return the starting position of your password if it finds a match to the substring, if it doesn't find a match it returns -1) If it doesn't find -1 (meaning you didn't use the first 4 characters of your suitsid) then it moves on to the next substring: L878, and then finally the last substring 8789.

To be completely honest I found these password guidelines off some SBC site and had to try and interpret them myself. I didn't even know what the hell "differs by 3 positions" meant, so that is the way I interpreted it.

-kaht

How much you wanna make a bet I can throw a football over them mountains?

 

[jl8789]

I'll have to say, you are funny!! Pay is just enough to pay the bills (

Yah, I see what you did, and I was confused because you did 4 positions so I modified it to do the 3. I am also perplexed to what differ from the userid by 3 positions. I wasn't sure if they wanted it so the entire password differed from the id by 3, or that you couldnt use 3 in a row of the user id. Well, I know how to do both now, so I'm just waiting for an answer.

Thanks again.