Implement simple integer-based constraint for overall "strength" [#1815660]

It seems to me that the desire to be all-encompassing has obscured the nature of the problem. What admins want is to be able to demand a minimum strength of password, not to say specifically that a strong password has 4 or more upper alphas, two or more digits, some punctuation ...

This suggests the need for a straightforward measure of complexity which can be expressed as an integer. The UI could supply a test facility so different passwords could be tried. Edge cases such as username appearing in the password string might be handled as exceptions (I'd suggest a default option to debar them).

As an example of why this might be a good idea, consider that a 16 character string consisting only of lowercase alphas is, in general, more secure than one 8 characters long with a mixture of alphas, digits and punctuation. Reference: http://howsecureismypassword.net/

Comment	File	Size	Author
#5	1815660-password-policy-drupal-strength.patch	4.62 KB	coltrane

Comments

Comment #1

erikwebb commented 3 November 2012 at 23:40

Title:

Simpler yet more robust algorithm for password complexity?

» Implement simple integer-based constraint for overall "strength"

I don't disagree. Given the new architecture for 7.x-2.x, you could create a constraint that calculates this value. Then the policy would simply check against your logic.

Comment #2

erikwebb commented 14 December 2012 at 17:07

@alfaguru - Do you have a simple formula we should use to implement this constraint?

Comment #3

alfaguru commented 17 December 2012 at 09:03

Here's the code I am using at the moment, which is a simple port of the Drupal.evaluatePasswordStrength function from user.js to PHP:

<?php
function mymodule_password_strength($password, $username) {
  $weaknesses = 0; 
  $strength = 100;

  $hasLowercase = preg_match('/[a-z]+/', $password);
  $hasUppercase = preg_match('/[A-Z]+/', $password);
  $hasNumbers = preg_match('/[0-9]+/', $password);
  $hasPunctuation = preg_match('/[^a-zA-Z0-9]+/', $password);

  // Lose 5 points for every character less than 6, plus a 30 point penalty.
  if (strlen($password) < 6) {
    $strength -= ((6 - strlen($password)) * 5) + 30;
  }

  // Count weaknesses.
  if (!$hasLowercase) {
    $weaknesses++;
  }
  if (!$hasUppercase) {
    $weaknesses++;
  }
  if (!$hasNumbers) {
    $weaknesses++;
  }
  if (!$hasPunctuation) {
    $weaknesses++;
  }

  // Apply penalty for each weakness (balanced against length penalty).
  switch ($weaknesses) {
    case 1:
      $strength -= 12.5;
      break;

    case 2:
      $strength -= 25;
      break;

    case 3:
      $strength -= 40;
      break;

    case 4:
      $strength -= 40;
      break;
  }

  // Check if password is the same as the username.
  if ($password !== '' && strtolower($password) === strtolower($username)) {
    // Passwords the same as username are always very weak.
    $strength = 5;
  }

  return $strength;
  
}
?>

This has the advantage that we it's easy to integrate with the Drupal JS. I'd like to see something more mathematically rigorous but haven't had the time to investigate possible algos.

Comment #3.0

alfaguru commented 17 December 2012 at 09:03

Issue summary:

View changes

minor edit

Comment #4

coltrane

he/him

commented 28 November 2013 at 00:36

Definitely in favor of this. I recently was pointed at https://github.com/lowe/zxcvbn which is a JS lib for checking password strength that provides a couple of metrics that fit this idea of a "complexity level" or "strength" without demanding 1 or more specific metrics (1 number, 1 symbol etc.).

I think the configuration for this could explain how a level is defined and then allow the admin to define how high of a level to require.