Check for and warn about passwords that match user's name, alias, or handle

This shouldn't be possible during new user sign-up, but there have been ways to curtail checks and generate user accounts with login names and passwords that are the same sequence of characters, unfortunately.

Check for and warn about passwords that match user's name, alias, or handle
a6aae003 · Rob Swindell · d1de080a · a6aae003
Commit a6aae003 authored 2 years ago by Rob Swindell
--- a/exec/chksetup.js
+++ b/exec/chksetup.js
@@ -104,30 +104,36 @@ var tests = {
 				continue;
 			if(usr.settings & (USER_DELETED|USER_INACTIVE))
 				continue;
-			if(usr.security.password == '') {
+			var password = usr.security.password;
+			if(password == '') {
 				if(!(usr.security.restrictions & UFLAG_G))
 					output.push(format("User #%-4u has no password", usr.number));
 				continue;
 			}
-			if(!password_list[usr.security.password])
-				password_list[usr.security.password] = [];
-			password_list[usr.security.password].push(u);
-			if(usr.security.password.length < system.min_password_length)
+			if(!password_list[password])
+				password_list[password] = [];
+			password_list[password].push(u);
+			if(usr.alias.toLowerCase() == password.toLowerCase()
+				|| usr.name.toLowerCase() == password.toLowerCase()
+				|| usr.handle.toLowerCase() == password.toLowerCase())
+				output.push(format("User #%-4u has an obvious password (their name or alias)"
+					, usr.number));
+			if(password.length < system.min_password_length)
 				output.push(format("User #%-4u has a password length (%u) < the minimum: %u"
 					, usr.number
-					, usr.security.password.length
+					, password.length
 					, system.min_password_length));
 			else if(system.max_password_length 
-				&& usr.security.password.length > system.max_password_length)
+				&& password.length > system.max_password_length)
 				output.push(format("User #%-4u has a password length (%u) > the maximum: %u"
 					, usr.number
-					, usr.security.password.length
+					, password.length
 					, system.max_password_length));
-			if(!system.trashcan("password", usr.security.password))
+			if(!system.trashcan("password", password))
 				continue;
 			output.push(format("User #%-4u has a disallowed password%s"
 				, usr.number
-				, options.verbose ? (': ' + usr.security.password) : ''));
+				, options.verbose ? (': ' + password) : ''));
 		}
 		for(var p in password_list) {
 			if(password_list[p].length > 2)