Attached you'll find a patch to user.module's user.js. It enhances the Drupal.evaluatePasswordStrength function by allowing it to check for repeating classes of characters.
http://www-128.ibm.com/developerworks/lotus/library/ls-password_quality/
This link suggests against repeating characters. I can't quite think of an efficient way of doing this in JavaScript, but we can check for classes (e.g. "abc", "123", "asdf") and increment the weaknesses variable accordingly.
The attached patch is for the latest 7.x release of Drupal, but a similar approach could be applied to the 6.x branch.
Comment | File | Size | Author |
---|---|---|---|
#5 | user.js_.drupal7.patch | 446 bytes | Brad Beattie |
#3 | user.js_.patch | 1.15 KB | Brad Beattie |
password.patch | 275 bytes | Brad Beattie | |
Comments
Comment #2
Brad Beattie CreditAttribution: Brad Beattie commentedComment #3
Brad Beattie CreditAttribution: Brad Beattie commentedAttached patch as generated by cvs diff, as per http://drupal.org/patch/create
Comment #5
Brad Beattie CreditAttribution: Brad Beattie commentedTrying this again, but from the root CVS directory.
Comment #6
Brad Beattie CreditAttribution: Brad Beattie commentedComment #7
Dries CreditAttribution: Dries commentedPlease add code comments explaining how this patch works. Thanks.
Comment #8
Brad Beattie CreditAttribution: Brad Beattie commenteduser.js has a series of tests it performs (via regular expressions) to determine password strength.
We'd like to ensure strong passwords, part of which suggests testing for dictionary words. While we can't test that efficiently via JavaScript, we can test for repeating character classes. As such, I propose a fifth test.
/[a-z]{3,}|[A-Z]{3,}|[0-9]{3,}|[^a-zA-Z0-9]{3,}/
This regular expression matches if it finds any grouping of character classes ("asdf", "123", etc) and reduces its score in the Drupal.evaluatePasswordStrength function.
Comment #9
FiReaNGeL CreditAttribution: FiReaNGeL commentedI think what Dries wanted is comments in the actual code, not in the issue
Comment #10
catchAlso, while rerolling, please roll the patch with cvs diff -up (unified diff format) - we're used to seeing
-/+
rather than</>
Comment #11
Jooblay.net CreditAttribution: Jooblay.net commentedWhat is the status of this ticket:) Can we close this...
Comment #12
frobLeseen, I do not think so.
The patch needs to be rerolled with documentation.
This should probably use some documentation as well. What is case 5:
Comment #13
Jooblay.net CreditAttribution: Jooblay.net commentedThanks for the update:)
Comment #14
mgiffordThis has to get into D8 first, right?