1
rplima2004
How to force the users of ours site to use safe passwords?
  • 2006/9/20 4:41

  • rplima2004

  • Just popping in

  • Posts: 70

  • Since: 2004/10/8


First of all, I would like to ask for excuses me for my very poor English. I am strengtheing itself to be able to share with you some of my works.

Security is primordial nowadays. And as everything in the Internet that has a minimum of security demands the use of passwords, is necessary that uses safe passwords to keep its security and the security of the information of the site.

It is known that the majority of the users uses the same password for the majority of the sites that registers and that in the great majority these passwords are not very safe, therefore is short passwords, that remember some thing of the user, at last, this is a risk for you, its site and its users.

But, how to force the users of its site to use safe passwords?

It is simple, installs a quality passwords meter in your site and only allows registers that they reach definitive level of security defined for you.

In the last days some XOOPS sites in Brasil had been hacked and know, at least what it consists, that this invasion was made possible because the invader discovered the password of some user who possessed a weak password.

Was thinking about this that I developed this hack and I hope that with this I can help them to make more difficult the life of this type of person who invades sites to cause the chaos, it at least a little.

Well, go to start.

The first step is make backup of the files that you go edit to install the hack.
The files are:

- include/registerform.php
- edituser.php
- language/your_language/user.php
- modules/system/language/your_language/admin/preferences.php

Made backup, click here and download the necessary files.

Open the files include/registerform.php and edituser.php text editor and only substitutes the code of creation of password field for this:

Quote:

##################################################################################################
# Password Quality Meter
# Type: Core Hack
# Description: This hack creates a Password Quality Meter for the user in the register or edition
# profile form. It only enable the send form button case the typed password reach the level of
# security defined for you in the administration (System Admin=>Preferences=>Users Config).
##################################################################################################
# Rodrigo Pereira Lima aka TheRplima
# therplima@gmail.com
# Last Update: 16/09/2006
# See the hack in my site http://www.xoops.net.br/register.php
##################################################################################################
include_once XOOPS_ROOT_PATH."/include/passwordquality.php";
##################################################################################################
# End of Hack
##################################################################################################


Original password form field creation code in include/registerform.php:
Quote:

$reg_form->addElement(new XoopsFormPassword(_US_PASSWORD, "pass", 10, 32, $myts->htmlSpecialChars($pass)), true);


Original password form field creation code in edituser.php:
Quote:

$pwd_text = new XoopsFormPassword('', 'password', 10, 32);


Made this, the next step is to include the used texts in hack in the definitions of language of xoops.
Opens the file language/your_language/user.php and in the end of the file, before ?> includes the stretch below:
Quote:

##################################################################################################
# Password Quality Meter
# Type: Core Hack
# Description: This hack creates a Password Quality Meter for the user in the register or edition
# profile form. It only enable the send form button case the typed password reach the level of
# security defined for you in the administration (System Admin=>Preferences=>Users Config).
##################################################################################################
# Rodrigo Pereira Lima aka TheRplima
# therplima@gmail.com
# Last Update: 16/09/2006
# See the hack in my site http://www.xoops.net.br/register.php
##################################################################################################
define('_US_REGFORM_NOJAVASCRIPT', 'To register in this site the Javascript of your browser must be enable. Enable it and try again!');
define('_US_REGFORM_WARNING', 'To register in this sitee you will be use a safe password. Try to create your passwords using a mix of letters (case sensitive), numbers and symbols.');
##################################################################################################
# End of Hack
##################################################################################################


Open now modules/system/language/your_language/admin/preferences.php and in the end of the file, before ?> includes the stretch below:
Quote:

##################################################################################################
# Password Quality Meter
# Type: Core Hack
# Description: This hack creates a Password Quality Meter for the user in the register or edition
# profile form. It only enable the send form button case the typed password reach the level of
# security defined for you in the administration (System Admin=>Preferences=>Users Config).
##################################################################################################
# Rodrigo Pereira Lima aka TheRplima
# therplima@gmail.com
# Last Update: 16/09/2006
# See the hack in my site http://www.xoops.net.br/register.php
##################################################################################################
define("_MD_AM_PASSLEVEL","Minimun password security");
define("_MD_AM_PASSLEVEL_DESC","Define which the minimum level of security for the passwords of the users.");
define("_MD_AM_PASSLEVEL1","Unsafe");
define("_MD_AM_PASSLEVEL2","Weak");
define("_MD_AM_PASSLEVEL3","Fair");
define("_MD_AM_PASSLEVEL4","Strong");
define("_MD_AM_PASSLEVEL5","Safe");
define("_MD_AM_PASSLEVEL6","Not rated");
##################################################################################################
# End of Hack
##################################################################################################


Soon, the alterations are made, copy the files passwordquality.php, passwordquality.js and percent_bar.js for inside of the folder include of its site.

We now go effectively to install hack in xoops. Copy the file Securitypasshack_install.php for the root of its site. Make a login as admin and access XOOPS_URL/securitypasshack_install.php.

It is very fast and if everything ok you will receive a success message and will be redirected for the main page of its site.

Erase the file Securitypasshack_install.php to prevent problems.

The installation is complete, it goes now in System Admin=>Preferences=>Users Config and sees if the length of the password and the level of security are in accordance with its necessities and are felt safer!

I hope that they have liked.

Here the link of original post in my site (Portuguese).

TheRplima

2
iHackCode
Re: How to force the users of ours site to use safe passwords?

i havent tried it yet, but sounds great. wouldnt mind having something like this in the core.
CBB / LatestNews / Publisher / XM-Spotlight

(ノ◕ヮ◕)ノ*:・゚✧

3
bluenova
Re: How to force the users of ours site to use safe passwords?

Nice work. I would suggest submitting the code here

4
Will_H
Re: How to force the users of ours site to use safe passwords?
  • 2006/9/20 12:32

  • Will_H

  • Friend of XOOPS

  • Posts: 1786

  • Since: 2004/10/10


hotness.

5
rplima2004
Re: How to force the users of ours site to use safe passwords?
  • 2006/9/20 12:57

  • rplima2004

  • Just popping in

  • Posts: 70

  • Since: 2004/10/8


Thanks all for coments.

@bluenova: i have posted there, see the link

TheRplima

6
hervet
Re: How to force the users of ours site to use safe passwords?
  • 2006/9/20 15:42

  • hervet

  • Friend of XOOPS

  • Posts: 2267

  • Since: 2003/11/4


One thing is just missing, on the form of an option, a way to block the account after, let say, 3 unsuccessful logins.

7
rplima2004
Re: How to force the users of ours site to use safe passwords?
  • 2006/9/20 20:37

  • rplima2004

  • Just popping in

  • Posts: 70

  • Since: 2004/10/8


@hervet: Yes, this is a great idea. Although to run away a little to the target from hack. But I go to give one analyzed in this and perhaps make another one hack.

TheRplima

8
giba
Re: How to force the users of ours site to use safe passwords?
  • 2006/9/23 15:20

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


yes Hervé, good idea too

TheRpLima in analysing for implements and features is reported in sourceforge. Now new adition verify fields forms, branch 2.0.15 and formelements 2.0.16 Skalpa and idea TheRpLima

This force users safe passwords is very important too.

Thanks for comments all xoopers.

9
irmtfan
Re: How to force the users of ours site to use safe passwords?
  • 2006/9/23 16:06

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


idea is great also set time limit for passwords is another feature to force user to change passwords regularly.

Quote:

hervet wrote:
One thing is just missing, on the form of an option, a way to block the account after, let say, 3 unsuccessful logins.


IMHO its not a good idea at all.
because anyone can block any account just by 3 faild login.
Or maybe create a script to block all accounts in the XOOPS site? i think its a kind of DOS attack.

10
rplima2004
Re: How to force the users of ours site to use safe passwords?
  • 2006/9/23 16:29

  • rplima2004

  • Just popping in

  • Posts: 70

  • Since: 2004/10/8


Quote:

irmtfan wrote:
idea is great also set time limit for passwords is another feature to force user to change passwords regularly.

IMHO its not a good idea at all.
because anyone can block any account just by 3 faild login.
Or maybe create a script to block all accounts in the XOOPS site? i think its a kind of DOS attack.


Yes, irmtfan, thinking about you say, i agree with you. If this is implemented anyone can block account of anyone, includding admin account. Really this has that to be thought better before being implemented. So about the time limit for passwords i like this.

TheRplima

Login

Who's Online

165 user(s) are online (99 user(s) are browsing Support Forums)


Members: 0


Guests: 165


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits