From 7d9d83329f3c2f7b24703b1a02b21f2a4a922595 Mon Sep 17 00:00:00 2001 From: Max Semenik Date: Mon, 9 Aug 2010 16:17:00 +0000 Subject: [PATCH] Fixes for password checker from r70520: * Removed the upper bound for brute force complexity checks * Score for repetitions is now linear and is subtracted from brute force score to avoid overpenalizing long passwords * Disabled checks by default for now, since many people consider them overly intrusive * Made OutputPage::addPasswordSecurity() include jQuery just in case it's not already included * Documented a little --- includes/DefaultSettings.php | 2 +- includes/OutputPage.php | 7 +++++++ skins/common/password.js | 31 ++++++++++++++++--------------- 3 files changed, 24 insertions(+), 16 deletions(-) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 86ef2b99e8..f46cf0f788 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -5086,7 +5086,7 @@ $wgUploadMaintenance = false; /** * Enabes or disables JavaScript-based suggestions of password strength */ -$wgLivePasswordStrengthChecks = true; +$wgLivePasswordStrengthChecks = false; /** * For really cool vim folding this needs to be at the end: diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 9f07201e0d..0347aefd9e 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -1955,7 +1955,14 @@ class OutputPage { } } + /** + * Adds JS-based password security checker + * @param $passwordId String ID of input box containing password + * @param $retypeId String ID of input box containing retyped password + * @return none + */ public function addPasswordSecurity( $passwordId, $retypeId ) { + $this->includeJQuery(); $data = array( 'password' => '#' . $passwordId, 'retype' => '#' . $retypeId, diff --git a/skins/common/password.js b/skins/common/password.js index de895590d3..78b147860b 100644 --- a/skins/common/password.js +++ b/skins/common/password.js @@ -5,20 +5,16 @@ * @todo Check for popular passwords and keyboard sequences (QWERTY, etc) */ +// Estimates how hard it would be to pick the password using brute forece function bruteForceComplexity( pwd ) { - var score = 0; - - if ( pwd.length < 16 ) { - score = pwd.length * 5; - } else { - score = 80; - } + var score = pwd.length * 5; var regexes = [ /[a-z]/, /[A-Z]/, /[0-9]/, - /[-_;:\.,'"`~!@#$%\^&\*\(\)\[\]\{\} ]/ ]; + /[-_;:\.,'"`~!@#$%\^&\*\(\)\[\]\{\} ]/ + ]; var charClasses = 0; for ( var i=0; i< regexes.length; i++ ) { @@ -42,7 +38,8 @@ function bruteForceComplexity( pwd ) { return score; } -function repetitionScore( pwd ) { +// Calculates a penalty to brute force score due to character repetition +function repetitionAdjustment( pwd ) { var unique = ''; for ( var i=0; i< pwd.length; i++ ) { if ( unique.indexOf( pwd[i] ) < 0 ) { @@ -51,9 +48,10 @@ function repetitionScore( pwd ) { } var ratio = pwd.length / unique.length - 0.4; // allow up to 40% repetition, reward for less, penalize for more - return 100 / ratio; + return ratio * 10; } +// Checks how many simple sequences ("abc", "321") are there in the password function sequenceScore( pwd ) { pwd = pwd.concat( '\0' ); var score = 100, sequence = 1; @@ -62,7 +60,7 @@ function sequenceScore( pwd ) { sequence++; } else { if ( sequence > 2 ) { - score -= Math.sqrt( sequence ) * 15; + score -= sequence * 7; } sequence = 1; } @@ -89,23 +87,26 @@ function sequenceScore( pwd ) { return; } if ( pwd.length > 100 ) pwd = pwd.slice( 0, 100 ); - var score = Math.min( + var scores = [ bruteForceComplexity( pwd ), - repetitionScore( pwd ), + repetitionAdjustment( pwd ), sequenceScore( pwd ) - ); + ]; + + var score = Math.min( scores[0] - scores[1], scores[2] ); var result = 'good'; if ( score < 40 ) { result = 'bad'; } else if ( score < 60 ) { result = 'mediocre'; - } else if ( score < 85 ) { + } else if ( score < 80 ) { result = 'acceptable'; } var message = '' + passwordSecurity.messages['password-strength-' + result] + ''; $( '#password-strength' ).html( passwordSecurity.messages['password-strength'].replace( '$1', message ) + //+ scores ); } -- 2.20.1