From 4451d8fb2ad7a4e06dccb62e49e62eae4c966654 Mon Sep 17 00:00:00 2001 From: cigamit Date: Sun, 20 Mar 2016 14:19:57 -0500 Subject: [PATCH] support strong password when changing passwords correct a few spacing issues as well --- auth_changepassword.php | 78 +++++++++++++++++++++++---------- include/themes/classic/main.css | 7 +++ include/themes/dark/main.css | 7 +++ include/themes/modern/main.css | 7 +++ 4 files changed, 76 insertions(+), 23 deletions(-) diff --git a/auth_changepassword.php b/auth_changepassword.php index 2e37470eff..df960c80c2 100644 --- a/auth_changepassword.php +++ b/auth_changepassword.php @@ -74,44 +74,57 @@ switch (get_request_var('action')) { case 'changepassword': - - // Secpass checking - $error = secpass_check_pass(get_nfilter_request_var('password')); if ($error != 'ok') { $bad_password = true; - $errorMessage = "$error"; - + $errorMessage = "$error"; } if (!secpass_check_history($_SESSION['sess_user_id'], get_nfilter_request_var('password'))) { $bad_password = true; - $errorMessage = "You can not use a previously entered password!"; + $errorMessage = "You can not use a previously entered password!"; + } + + // Get password options for the new password + if (function_exists('password_hash')) { + $password_new = password_hash(get_nfilter_request_var('password'), PASSWORD_DEFAULT); + }else{ + $password_new = ''; + } + $password_old = md5(get_nfilter_request_var('password')); + + // Get old password to compare against the database + if (function_exists('password_hash')) { + $current_password_new = password_hash(get_nfilter_request_var('current_password'), PASSWORD_DEFAULT); + }else{ + $current_password_new = ''; } + $current_password_old = md5(get_nfilter_request_var('current_password')); // Password and Confirmed password checks - if ($user['password'] != md5(get_nfilter_request_var('current_password'))) { + if ($user['password'] != $current_password_new && $user['password'] != $current_password_old) { $bad_password = true; - $errorMessage = "Your current password is not correct. Please try again."; + $errorMessage = "Your current password is not correct. Please try again."; } - if ($user['password'] == md5(get_nfilter_request_var('password'))) { + if ($user['password'] == $password_new || $user['password'] == $password_old) { $bad_password = true; - $errorMessage = "Your new password can not be the same as the old password. Please try again."; + $errorMessage = "Your new password can not be the same as the old password. Please try again."; } - if (get_nfilter_request_var('password') !== (get_nfilter_request_var('confirm'))) { + if (get_nfilter_request_var('password') !== (get_nfilter_request_var('confirm'))) { $bad_password = true; - $errorMessage = "Your new passwords do not match, please retype."; + $errorMessage = "Your new passwords do not match, please retype."; } - if ($bad_password == false && get_nfilter_request_var('password') == get_nfilter_request_var('confirm') && get_nfilter_request_var('password') != '') { + if ($bad_password == false && get_nfilter_request_var('password') == get_nfilter_request_var('confirm') && get_nfilter_request_var('password') != '') { // Password change is good to go if (read_config_option('secpass_expirepass') > 0) { - db_execute("UPDATE user_auth SET lastchange = " . time() . " WHERE id = " . intval($_SESSION['sess_user_id']) . " AND realm = 0 AND enabled = 'on'"); + db_execute("UPDATE user_auth SET lastchange = " . time() . " WHERE id = " . intval($_SESSION['sess_user_id']) . " AND realm = 0 AND enabled = 'on'"); } + $history = intval(read_config_option('secpass_history')); if ($history > 0) { $h = db_fetch_row_prepared("SELECT password, password_history FROM user_auth WHERE id = ? AND realm = 0 AND enabled = 'on'", array($_SESSION['sess_user_id'])); @@ -119,19 +132,18 @@ $h = explode('|', $h['password_history']); while (count($h) > $history - 1) { array_shift($h); - } + } $h[] = $op; $h = implode('|', $h); db_execute_prepared("UPDATE user_auth SET password_history = ? WHERE id = ? AND realm = 0 AND enabled = 'on'", array($h, $_SESSION['sess_user_id'])); } db_execute_prepared('INSERT IGNORE INTO user_log (username, result, ip) VALUES (?, 3, ?)', array($user['username'], $_SERVER['REMOTE_ADDR'])); - db_execute_prepared("UPDATE user_auth SET must_change_password = '', password = ? WHERE id = ?", array(md5(get_nfilter_request_var('password')), $_SESSION['sess_user_id'])); + db_execute_prepared("UPDATE user_auth SET must_change_password = '', password = ? WHERE id = ?", array($password_new != '' ? $password_new:$password_old, $_SESSION['sess_user_id'])); kill_session_var('sess_change_password'); - /* ok, at the point the user has been sucessfully authenticated; so we must - decide what to do next */ + /* ok, at the point the user has been sucessfully authenticated; so we must decide what to do next */ /* if no console permissions show graphs otherwise, pay attention to user setting */ $realm_id = $user_auth_realm_filenames['index.php']; @@ -177,10 +189,30 @@ } /* Create tooltip for password complexity */ -$secpass_tooltip = "Minimum Length: " .read_config_option('secpass_minlen') . "
" . - "Require Mix Case: " .read_config_option('secpass_reqmixcase') . "
" . - "Require Number: " .read_config_option('secpass_reqnum') . "
" . - "Require Special Character: " .read_config_option('secpass_reqspec') . "
" ; +$secpass_tooltip = "Password requirements include:
"; +$secpass_body = ''; + +if (read_config_option('secpass_minlen') > 0) { + $secpass_body .= "Must be at least " . read_config_option('secpass_minlen') . " characters in length"; +} + +if (read_config_option('secpass_reqmixcase') == 'on') { + $secpass_body .= (strlen($secpass_body) ? ';
':'') . "Must include mixed case"; +} + +if (read_config_option('secpass_reqnum') == 'on') { + $secpass_body .= (strlen($secpass_body) ? ';
':'') . "Must include at least 1 number"; +} + +if (read_config_option('secpass_reqspec') == 'on') { + $secpass_body .= (strlen($secpass_body) ? ';
':'') . "Must include at least 1 special character"; +} + +if (read_config_option('secpass_history') != '0') { + $secpass_body .= (strlen($secpass_body) ? ';
':'') . "Can not be reused for " . (read_config_option('secpass_history')+1) . " password changes"; +} + +$secpass_tooltip .= $secpass_body . "."; print "\n"; print "\n"; @@ -245,4 +277,4 @@ }); - \n"; \ No newline at end of file + \n"; diff --git a/include/themes/classic/main.css b/include/themes/classic/main.css index b9ac80beb6..727491a54a 100755 --- a/include/themes/classic/main.css +++ b/include/themes/classic/main.css @@ -89,6 +89,13 @@ label { cursor:pointer; } +.badpassword_message { + padding:2px; + color:red; + font-size:1.0em !important; + vertical-align:bottom; +} + .badpassword { padding:4px; color:red; diff --git a/include/themes/dark/main.css b/include/themes/dark/main.css index 5b5ccf99bb..21680e06d9 100644 --- a/include/themes/dark/main.css +++ b/include/themes/dark/main.css @@ -128,6 +128,13 @@ label { font-size: 11px !important; } +.badpassword_message { + padding:2px; + color:red; + font-size:1.0em !important; + vertical-align:bottom; +} + .badpassword { padding:4px; color:red; diff --git a/include/themes/modern/main.css b/include/themes/modern/main.css index 4ba295d49e..80d5c7271d 100755 --- a/include/themes/modern/main.css +++ b/include/themes/modern/main.css @@ -101,6 +101,13 @@ label { font-size: 13px !important; } +.badpassword_message { + padding:2px; + color:red; + font-size:1.0em !important; + vertical-align:bottom; +} + .badpassword { padding:4px; color:red;