|
From: SourceForge.net <no...@so...> - 2011-08-26 23:27:33
|
Feature Requests item #1785513, was opened at 2007-08-31 13:15 Message generated for change (Comment added) made by christian_boltz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937967&aid=1785513&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: suprune (suprune) Assigned to: Nobody/Anonymous (nobody) Summary: Password and username restrictions Initial Comment: A user can change its password, and a domain administrator can set the password of a user. It would be nice if there were the following parameters in config.inc.php: password minimum length; and/or characters a password may contain, e.g. a regular expression for a password, like this: "!^[\\x21-\\x7E]{3,}$!" The same thing is desired for the users' names. Thanks. ---------------------------------------------------------------------- >Comment By: Christian Boltz (christian_boltz) Date: 2011-08-27 01:27 Message: > Cool... but how would you specify 'must contain at least n special > characters', where n is greater than one? I'll give you an example for numbers to avoid escaping issues ;-) /([0-9].*){3}/ would enforce at least 3 digits - with or without any other characters between them (as usual: untested) /[0-9].*[0-9].*[0-9]/ would do the same, but it starts to hurt if you want to enforce 10 digits ;-) > Also, could the last regex be modified to provide a list of allowable > characters like this: The regex array will be a $CONF option - you can change it like you want. Feel free to add proposals that we can ship in config.inc.php as examples or preconfiguration. ---------------------------------------------------------------------- Comment By: Charles (libertytrek) Date: 2011-08-24 14:14 Message: Cool... but how would you specify 'must contain at least n special characters', where n is greater than one? Also, could the last regex be modified to provide a list of allowable characters like this: /^[a-zA-Z0-9!@#$%^&*();':",.<>[]{}|\-=_+]$/ - may only contain letters and numbers ? ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2011-08-24 00:17 Message: Short update after thinking about this for a loooooong ;-) time: I'll add a config option with an array of RegExes. This should be flexible enough to fulfil all wishes, for example: /......../ - at last 8 chars (could even replace $CONF[min_password_length], except specifying the required length in the error message) /[a-zA-Z]/ - must contain at least one letter /[0-9]/ - must contain at least one digit /^[^¿¡]*$/ - must not contain ¿ or ¡ /^[a-zA-Z0-9]$/ - may only contain letters and numbers I also have thought about a method how to give useful (= user-understandable) error messages for each rule. More on this when it's implemented ;-) ---------------------------------------------------------------------- Comment By: amsys (amsys) Date: 2007-12-17 01:40 Message: Logged In: YES user_id=1299438 Originator: NO Maybe it will be nice to fix that nice red-to-green js password strength checker ;-) ---------------------------------------------------------------------- Comment By: suprune (suprune) Date: 2007-10-08 13:53 Message: Logged In: YES user_id=1868725 Originator: YES > Minimum password length is implemented in the latest SVN version > as config option. Thanks. > Checking the password against a RegEx shouldn't be too hard to implement, > but I'm not sure if we really need it. I believe the non-ASCII administrators (like me, a Russian speaking man) would like to prevent their users to set passwords containing non-acsii characters. There are at least 3 different code pages for Russian characters, and one never knows how the password is encoded when it arrives to the postfixadmin scripts. Besides, a space (0x20) is not always convenient as a possible character of a password. A regEx seems to be the best way to check a password, including a check against minimum and maximum lengths. ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2007-10-07 20:49 Message: Logged In: YES user_id=593261 Originator: NO Status: Minimum password length is implemented in the latest SVN version as config option. Checking the password against a RegEx shouldn't be too hard to implement, but I'm not sure if we really need it. Usernames always have to be (valid) mail addresses and are already checked. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937967&aid=1785513&group_id=191583 |
