Check for and warn about passwords that match user's name, alias, or handle

This shouldn't be possible during new user sign-up, but there have been ways to curtail checks and generate user accounts with login names and passwords that are the same sequence of characters, unfortunately.

Check for and warn about passwords that match user's name, alias, or handle
0acc2fc2 · Rob Swindell · 9a0da942 · 0acc2fc2
Commit 0acc2fc2 authored 2 years ago by Rob Swindell
--- a/exec/chksetup.js
+++ b/exec/chksetup.js
@@ -104,30 +104,36 @@ var tests = {
 				continue;
 			if(usr.settings & (USER_DELETED|USER_INACTIVE))
 				continue;
-			if(usr.security.password == '') {
+			var password = usr.security.password;
+			if(password == '') {
 				if(!(usr.security.restrictions & UFLAG_G))
 					output.push(format("User #%-4u has no password", usr.number));
 				continue;
 			}
-			if(!password_list[usr.security.password])
-				password_list[usr.security.password] = [];
-			password_list[usr.security.password].push(u);
-			if(usr.security.password.length < system.min_password_length)
+			if(!password_list[password])
+				password_list[password] = [];
+			password_list[password].push(u);
+			if(usr.alias.toLowerCase() == password.toLowerCase()
+				|| usr.name.toLowerCase() == password.toLowerCase()
+				|| usr.handle.toLowerCase() == password.toLowerCase())
+				output.push(format("User #%-4u has an obvious password (their name or alias)"
+					, usr.number));
+			if(password.length < system.min_password_length)
 				output.push(format("User #%-4u has a password length (%u) < the minimum: %u"
 					, usr.number
-					, usr.security.password.length
+					, password.length
 					, system.min_password_length));
 			else if(system.max_password_length 
-				&& usr.security.password.length > system.max_password_length)
+				&& password.length > system.max_password_length)
 				output.push(format("User #%-4u has a password length (%u) > the maximum: %u"
 					, usr.number
-					, usr.security.password.length
+					, password.length
 					, system.max_password_length));
-			if(!system.trashcan("password", usr.security.password))
+			if(!system.trashcan("password", password))
 				continue;
 			output.push(format("User #%-4u has a disallowed password%s"
 				, usr.number
-				, options.verbose ? (': ' + usr.security.password) : ''));
+				, options.verbose ? (': ' + password) : ''));
 		}
 		for(var p in password_list) {
 			if(password_list[p].length > 2)